Cybersecurity researchers have identified a new Linux variant of the ransomware strain known as Play (also called Balloonfly and PlayCrypt), specifically targeting VMware ESXi environments.
“This suggests that the group may be expanding its attacks to the Linux platform, potentially increasing its victim base and enhancing ransom negotiation leverage,” Trend Micro researchers stated in a report released on Friday.
First detected in June 2022, Play ransomware is notorious for its double extortion strategy, encrypting systems after stealing sensitive data and demanding payment for a decryption key. By October 2023, estimates from Australia and the U.S. indicated that around 300 organizations had fallen victim to this ransomware group.
Trend Micro’s statistics for the first seven months of 2024 show the U.S. has the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.
Industries such as manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate have been significantly impacted by Play ransomware.
The cybersecurity firm’s analysis of the Linux variant was based on a RAR archive file hosted at IP address 108.61.142[.]190, which also contained tools previously used in attacks, including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
“While no infections have been confirmed, the command-and-control (C&C) server hosts common tools used by Play ransomware in its attacks, suggesting that the Linux variant may use similar tactics, techniques, and procedures (TTPs),” Trend Micro noted.
Upon execution, the ransomware checks for an ESXi environment, encrypting virtual machine (VM) files, including VM disk, configuration, and metadata files, appending them with the “.PLAY” extension, and placing a ransom note in the root directory.
Further analysis indicates that the Play ransomware group is likely utilizing services and infrastructure provided by Prolific Puma, which offers an illicit link-shortening service to cybercriminals to evade detection while spreading malware.
The group uses a registered domain generation algorithm (RDGA) to generate new domain names, a technique increasingly used by threat actors like VexTrio Viper and Revolver Rabbit for phishing, spam, and malware distribution.
Revolver Rabbit, for instance, is believed to have registered over 500,000 domains on the “.bond” top-level domain (TLD), costing more than $1 million, which serve as active and decoy C2 servers for the XLoader (also known as FormBook) stealer malware.
Infoblox noted in a recent analysis, “The most common RDGA pattern used by this actor is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash. Sometimes, ISO 3166-1 country codes, full country names, or years are used instead of dictionary words.”
RDGAs are harder to detect and defend against than traditional DGAs because they allow threat actors to register numerous domain names for their criminal infrastructure, either all at once or over time.
“In an RDGA, the algorithm is a secret held by the threat actor, who registers all the domain names,” Infoblox explained. “In contrast, DGAs contain an algorithm that can be discovered, and most domain names are not registered. While DGAs are used exclusively to connect to a malware controller, RDGAs serve various malicious purposes.”
The latest findings suggest a possible collaboration between two cybercriminal groups, indicating that Play ransomware actors are leveraging Prolific Puma’s services to bypass security measures.
“ESXi environments are high-value targets for ransomware due to their critical role in business operations. Their ability to encrypt multiple VMs simultaneously and the valuable data they contain make them particularly attractive to cybercriminals,” Trend Micro concluded.
, specifically targeting VMware ESXi environments.){kind=link}