A new ransomware strain, PlayBoy LOCKER, has been identified targeting Windows, NAS, and ESXi systems.
First discovered in September 2024 as a Ransomware-as-a-Service (RaaS) offering, the malware later had its full source code put up for sale in November, potentially enabling wider distribution by other threat actors.
New Ransomware Strain Emerges with Multi-OS Capabilities
The ransomware encrypts files and appends the “.PLBOY” extension, while also deleting Volume Shadow Copies to hinder recovery efforts.
.png
)
Victims are pressured via a ransom note (“INSTRUCTIONS.txt”) and altered desktop wallpapers, threatening data leaks unless payment is made.
According to the Report, Broadcom’s Symantec has deployed detection mechanisms for PlayBoy LOCKER, including adaptive, file-based, and machine learning-based protections. Key detection signatures include Trojan.Gen.MBT, Heur.AdvML.A!300, and ACM.Untrst-RunSys!g1.
VMware Carbon Black products also block associated indicators, recommending policies to prevent execution of known and suspected malware.
The ransomware’s initial focus on Germany suggests potential expansion into other high-value targets, emphasizing the need for robust cybersecurity measures.
Mitigation and Recovery Challenges
No free decryption tool is currently available for PlayBoy LOCKER, leaving victims with limited options beyond backups or ransom payments.
Infection vectors include malicious email attachments, pirated software, and exploit kits.
Organizations are advised to enforce strict email filtering, disable macros, and maintain offline backups to mitigate risks.
Broadcom’s support portal remains operational for assistance, though users must register with an Enterprise Site ID to open cases.
The ransomware’s multi-OS support and evolving tactics highlight its adaptability, underscoring the importance of proactive defense strategies.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
