Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual machine files and appends the “.PLAY” extension by leveraging obfuscation techniques to bypass detection and is compressed with a Windows variant in a RAR archive. 

It utilizes similar tactics as the Windows version based on the presence of common tools associated with Play ransomware on the command-and-control server, which suggests that the Play ransomware group is expanding its attacks to Linux environments and potentially increasing the impact of their operations.  

The infection chain of the Linux variant of Play ransomware includes the use of several tools.

In the initial infection stage, it verifies the environment by looking for the presence of ESXi-specific commands (vim-cmd and esxcli), and if the commands are found, the ransomware proceeds with its malicious routine.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

First, it disables all running virtual machines to prevent data access or modification. Then, it sets a custom welcome message on the ESXi host, potentially alerting victims of the attack. 

The ransomware encrypts critical VM files, including disks, configuration files, and metadata files, rendering them inaccessible. To indicate that Play ransomware has infected them, the encrypted files have the “.PLAY” extension appended. 

The login portal of the affected ESXi server also displays the ransom note.

A ransom note is dropped in the root directory of the compromised system, and the same note is displayed on both the ESXi login portal and the console, which ensures that the victim will encounter the ransom note regardless of the method used to access the compromised ESXi system.

Analysis of the Play ransomware attack revealed a connection to Prolific Puma, a threat actor known for offering link-shortening services using domains generated by a Registered Domain Generation Algorithm (RDGA). 

The ransomware payload and other tools were hosted on a server with several IP addresses, which resolved to multiple RDGA domains registered by Porkbun, LLC, and NameCheap, Inc., further obfuscating the attacker’s identity.  

The VirusTotal result of the URL mentions Prolific Puma.

Prolific Puma registered domains that resolved to the Play ransomware IP address using their typical short and random names, and the message that appeared on these domains matched that seen in Prolific Puma’s infrastructure. 

The Coroxy backdoor used by Play ransomware has been detected, establishing a connection to the specified IP address.

The Coroxy backdoor used by Play ransomware connected to another IP address that also resolved to Prolific Puma-linked domains by connecting to an IP address that resolved to multiple domains registered by Prolific Puma. 

Further investigation by Trend Micro revealed this IP belonged to the same autonomous system (ASN) as another IP linked to Prolific Puma, indicating they share the same network provider.  

The overlap in infrastructure suggests a potential collaboration between Play ransomware and Prolific Puma, while Play ransomware may be seeking to improve its ability to bypass security measures using Prolific Puma’s services. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Aman Mishra

Recent Posts

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated learning…

4 hours ago

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target e-commerce…

4 hours ago

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By manipulating…

4 hours ago

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation platform.…

9 hours ago

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a full…

12 hours ago

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of their…

12 hours ago