A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual machine files and appends the “.PLAY” extension by leveraging obfuscation techniques to bypass detection and is compressed with a Windows variant in a RAR archive.
It utilizes similar tactics as the Windows version based on the presence of common tools associated with Play ransomware on the command-and-control server, which suggests that the Play ransomware group is expanding its attacks to Linux environments and potentially increasing the impact of their operations.
In the initial infection stage, it verifies the environment by looking for the presence of ESXi-specific commands (vim-cmd and esxcli), and if the commands are found, the ransomware proceeds with its malicious routine.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
First, it disables all running virtual machines to prevent data access or modification. Then, it sets a custom welcome message on the ESXi host, potentially alerting victims of the attack.
The ransomware encrypts critical VM files, including disks, configuration files, and metadata files, rendering them inaccessible. To indicate that Play ransomware has infected them, the encrypted files have the “.PLAY” extension appended.
A ransom note is dropped in the root directory of the compromised system, and the same note is displayed on both the ESXi login portal and the console, which ensures that the victim will encounter the ransom note regardless of the method used to access the compromised ESXi system.
Analysis of the Play ransomware attack revealed a connection to Prolific Puma, a threat actor known for offering link-shortening services using domains generated by a Registered Domain Generation Algorithm (RDGA).
The ransomware payload and other tools were hosted on a server with several IP addresses, which resolved to multiple RDGA domains registered by Porkbun, LLC, and NameCheap, Inc., further obfuscating the attacker’s identity.
Prolific Puma registered domains that resolved to the Play ransomware IP address using their typical short and random names, and the message that appeared on these domains matched that seen in Prolific Puma’s infrastructure.
The Coroxy backdoor used by Play ransomware connected to another IP address that also resolved to Prolific Puma-linked domains by connecting to an IP address that resolved to multiple domains registered by Prolific Puma.
Further investigation by Trend Micro revealed this IP belonged to the same autonomous system (ASN) as another IP linked to Prolific Puma, indicating they share the same network provider.
The overlap in infrastructure suggests a potential collaboration between Play ransomware and Prolific Puma, while Play ransomware may be seeking to improve its ability to bypass security measures using Prolific Puma’s services.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo