Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Play Ransomware Targets ESXi Servers

July 19, 2024
Reading Time: 3 mins read
in Alerts
Play Ransomware Targets ESXi Servers

Trend Micro threat hunters have identified a new Linux variant of the Play ransomware, targeting VMware ESXi environments for the first time. This development marks a significant shift for the Play ransomware group, which is renowned for its double-extortion tactics and has previously focused primarily on Windows systems. The new variant is designed to operate exclusively within VMware ESXi environments, a platform commonly used by businesses to manage multiple virtual machines (VMs). By specifically targeting these environments, the ransomware can disrupt critical business operations and encrypt backups, significantly complicating data recovery efforts for affected organizations.

The Play ransomware variant has demonstrated its ability to evade detection, with a sample submitted to VirusTotal showing zero detections. It is distributed in a RAR file alongside its Windows counterpart and is hosted on an IP address known to be associated with various cybercriminal tools. The ransomware’s infection chain includes the use of established tools such as PsExec, NetScan, and WinSCP, which have been previously employed in attacks by the Play group. The ransomware verifies its environment by executing ESXi-specific commands before proceeding with encryption, ensuring it only activates in the targeted setup.

The ransomware’s primary method of attack involves encrypting VM files, including disk, configuration, and metadata files, once it confirms that it is operating within an ESXi environment. It also turns off any running VMs using ESXi commands and drops a ransom note in the root directory of the affected ESXi server. The note, which also appears on the ESXi client login portal and console, includes instructions and links to the Tor network for ransom payment. This approach not only impacts the data stored within the VMs but also hinders the recovery process by potentially encrypting backups.

This new activity by the Play ransomware group has been particularly prevalent in the United States, with manufacturing and professional services being the most targeted sectors. Additionally, the connection between Play ransomware and the Prolific Puma group is evident. Prolific Puma is known for providing infrastructure and services to other cybercriminals, including domain registration and link-shortening services that facilitate the distribution of malware.

Reference:

  • Play Ransomware Group Unleashes New Linux Variant Targeting VMware ESXi Servers
Tags: Cyber AlertsCyber Alerts 2024Cyber RiskCyber threatJuly 2024LinuxRansomwareTrend MicroVmware
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial