A new ransomware strain, PlayBoy LOCKER, has been identified targeting Windows, NAS, and ESXi systems.
First discovered in September 2024 as a Ransomware-as-a-Service (RaaS) offering, the malware later had its full source code put up for sale in November, potentially enabling wider distribution by other threat actors.
The ransomware encrypts files and appends the “.PLBOY” extension, while also deleting Volume Shadow Copies to hinder recovery efforts.
Victims are pressured via a ransom note (“INSTRUCTIONS.txt”) and altered desktop wallpapers, threatening data leaks unless payment is made.
According to the Report, Broadcom’s Symantec has deployed detection mechanisms for PlayBoy LOCKER, including adaptive, file-based, and machine learning-based protections. Key detection signatures include Trojan.Gen.MBT, Heur.AdvML.A!300, and ACM.Untrst-RunSys!g1.
VMware Carbon Black products also block associated indicators, recommending policies to prevent execution of known and suspected malware.
The ransomware’s initial focus on Germany suggests potential expansion into other high-value targets, emphasizing the need for robust cybersecurity measures.
No free decryption tool is currently available for PlayBoy LOCKER, leaving victims with limited options beyond backups or ransom payments.
Infection vectors include malicious email attachments, pirated software, and exploit kits.
Organizations are advised to enforce strict email filtering, disable macros, and maintain offline backups to mitigate risks.
Broadcom’s support portal remains operational for assistance, though users must register with an Enterprise Site ID to open cases.
The ransomware’s multi-OS support and evolving tactics highlight its adaptability, underscoring the importance of proactive defense strategies.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
In a recent revelation by SEQRITE Labs, a highly sophisticated cyber-espionage campaign, dubbed Operation HollowQuill,…
A new wave of cyberattacks orchestrated by the advanced persistent threat (APT) group Earth Alux…
The term "Lazarus Group," once used to describe a singular Advanced Persistent Threat (APT) actor,…
DarkCloud, a highly advanced stealer malware, has emerged as a significant threat to Windows systems…
Cado Security Labs has uncovered a new Python-based Remote Access Tool (RAT) named Triton RAT,…
Russian-aligned cyber threat groups, UAC-0050 and UAC-0006, have significantly escalated their operations in 2025, targeting…
