Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual machine files and appends the “.PLAY” extension by leveraging obfuscation techniques to bypass detection and is compressed with a Windows variant in a RAR archive. 

It utilizes similar tactics as the Windows version based on the presence of common tools associated with Play ransomware on the command-and-control server, which suggests that the Play ransomware group is expanding its attacks to Linux environments and potentially increasing the impact of their operations.  

The infection chain of the Linux variant of Play ransomware includes the use of several tools.

In the initial infection stage, it verifies the environment by looking for the presence of ESXi-specific commands (vim-cmd and esxcli), and if the commands are found, the ransomware proceeds with its malicious routine.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

First, it disables all running virtual machines to prevent data access or modification. Then, it sets a custom welcome message on the ESXi host, potentially alerting victims of the attack. 

The ransomware encrypts critical VM files, including disks, configuration files, and metadata files, rendering them inaccessible. To indicate that Play ransomware has infected them, the encrypted files have the “.PLAY” extension appended. 

The login portal of the affected ESXi server also displays the ransom note.

A ransom note is dropped in the root directory of the compromised system, and the same note is displayed on both the ESXi login portal and the console, which ensures that the victim will encounter the ransom note regardless of the method used to access the compromised ESXi system.

Analysis of the Play ransomware attack revealed a connection to Prolific Puma, a threat actor known for offering link-shortening services using domains generated by a Registered Domain Generation Algorithm (RDGA). 

The ransomware payload and other tools were hosted on a server with several IP addresses, which resolved to multiple RDGA domains registered by Porkbun, LLC, and NameCheap, Inc., further obfuscating the attacker’s identity.  

The VirusTotal result of the URL mentions Prolific Puma.

Prolific Puma registered domains that resolved to the Play ransomware IP address using their typical short and random names, and the message that appeared on these domains matched that seen in Prolific Puma’s infrastructure. 

The Coroxy backdoor used by Play ransomware has been detected, establishing a connection to the specified IP address.

The Coroxy backdoor used by Play ransomware connected to another IP address that also resolved to Prolific Puma-linked domains by connecting to an IP address that resolved to multiple domains registered by Prolific Puma. 

Further investigation by Trend Micro revealed this IP belonged to the same autonomous system (ASN) as another IP linked to Prolific Puma, indicating they share the same network provider.  

The overlap in infrastructure suggests a potential collaboration between Play ransomware and Prolific Puma, while Play ransomware may be seeking to improve its ability to bypass security measures using Prolific Puma’s services. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Aman Mishra

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

4 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

4 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

7 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

10 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

11 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

11 hours ago