Trend Micro threat hunters have identified a new Linux variant of the Play ransomware, targeting VMware ESXi environments for the first time. This development marks a significant shift for the Play ransomware group, which is renowned for its double-extortion tactics and has previously focused primarily on Windows systems. The new variant is designed to operate exclusively within VMware ESXi environments, a platform commonly used by businesses to manage multiple virtual machines (VMs). By specifically targeting these environments, the ransomware can disrupt critical business operations and encrypt backups, significantly complicating data recovery efforts for affected organizations.
The Play ransomware variant has demonstrated its ability to evade detection, with a sample submitted to VirusTotal showing zero detections. It is distributed in a RAR file alongside its Windows counterpart and is hosted on an IP address known to be associated with various cybercriminal tools. The ransomware’s infection chain includes the use of established tools such as PsExec, NetScan, and WinSCP, which have been previously employed in attacks by the Play group. The ransomware verifies its environment by executing ESXi-specific commands before proceeding with encryption, ensuring it only activates in the targeted setup.
The ransomware’s primary method of attack involves encrypting VM files, including disk, configuration, and metadata files, once it confirms that it is operating within an ESXi environment. It also turns off any running VMs using ESXi commands and drops a ransom note in the root directory of the affected ESXi server. The note, which also appears on the ESXi client login portal and console, includes instructions and links to the Tor network for ransom payment. This approach not only impacts the data stored within the VMs but also hinders the recovery process by potentially encrypting backups.
This new activity by the Play ransomware group has been particularly prevalent in the United States, with manufacturing and professional services being the most targeted sectors. Additionally, the connection between Play ransomware and the Prolific Puma group is evident. Prolific Puma is known for providing infrastructure and services to other cybercriminals, including domain registration and link-shortening services that facilitate the distribution of malware.
Reference:
