The Play ransomware group has launched a Linux variant of its malware that particularly targets VMWare ESXi environments, in keeping with latest findings from Pattern Micro.
First detected in June 2022, the Play ransomware has gained notoriety for its refined double-extortion ways, custom-built instruments and important impression on organizations, particularly in Latin America.
Growth to ESXi Environments
In keeping with an advisory printed by Pattern Micro final week, that is the primary recorded occasion of Play ransomware specializing in ESXi environments, suggesting an growth of its assault methods throughout the Linux platform. This transfer probably will increase the sufferer pool and will result in extra profitable ransom negotiations.
VMWare ESXi environments are essential for companies as they host a number of digital machines (VMs) operating important functions and information. Compromising these programs can severely disrupt operations and even compromise backups, making restoration efforts tougher.
An infection Chain and Instruments Used
The analysis highlights that from January to July 2024, the US has seen the best variety of Play ransomware victims. The manufacturing {and professional} companies sectors have been probably the most affected. A major concern is the ransomware’s potential to evade safety detections, with the Linux variant exhibiting zero detections in VirusTotal.
The an infection chain of this ransomware variant contains varied instruments similar to PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor, that are hosted on the identical IP deal with beforehand related to Play ransomware assaults.
The pattern analyzed by TrendMicro runs ESXi-related instructions to substantiate it’s working inside an ESXi surroundings earlier than continuing with its malicious routines. If these instructions are lacking, the ransomware terminates itself, avoiding detection.
Learn extra on Play Ransomware: US and Australia Warn of Play Ransomware Risk
The Play ransomware executes shell script instructions to scan and energy off all VMs within the surroundings, then encrypts VM recordsdata, together with essential information and appends the extension “.PLAY” to affected recordsdata. A ransom word is then displayed, each within the ESXi shopper login portal and within the root listing.
Connection to Prolific Puma
Moreover, the examine reveals a connection between the Play ransomware group and one other menace actor often called Prolific Puma. Prolific Puma is infamous for producing domains utilizing random algorithms and providing link-shortening companies to cybercriminals to evade detection.
ESXi environments, being high-value targets, require sturdy safety measures to mitigate ransomware assaults.
Advisable practices embody common patching and updates, digital patching, addressing misconfigurations, implementing robust entry controls, community segmentation, minimizing assault surfaces, sustaining offline backups, and deploying safety monitoring and incident response options.
