Security experts have discovered a fresh Linux version of the Play ransomware (also known as Balloonfly or PlayCrypt) that specifically targets VMware ESXi systems.

You might be interested in: Risks of AI Training on Your Data

Expanding Attack Surface

“This development indicates that the group is potentially expanding its attack vectors on the Linux platform, thereby increasing its victim count and improving the likelihood of successful ransom payments,” Trend Micro researchers highlighted in a report published last Friday.

First seen in June 2022, Play ransomware is infamous for its dual-extortion tactics, which include encrypting systems after stealing sensitive data and then demanding a ransom for the decryption key. As of October 2023, the group has reportedly compromised up to 300 organizations in Australia and the United States.

Global Impact

Trend Micro’s data for the first seven months of 2024 shows the highest number of victims in the United States, followed by Canada, Germany, the United Kingdom, and the Netherlands.

The ransomware has significantly impacted various sectors, including manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.

Technical Analysis

Trend Micro’s investigation into the Linux variant of Play is based on a RAR archive found on an IP address (108.61.142[.]190). This archive also contains other tools known from previous attacks, such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

“Although no infections have been directly observed, the command-and-control (C&C) server hosts the usual tools Play ransomware employs in its attacks,” the report noted. “This suggests that the Linux variant might use similar tactics, techniques, and procedures (TTPs).”

Upon execution, the ransomware sample confirms it is running in an ESXi environment before it encrypts virtual machine (VM) files, adding the suffix “.PLAY.” A ransom note is then deposited in the root directory.

Criminal Collaboration

Further analysis indicates that the Play ransomware group is likely using services and infrastructure provided by Prolific Puma, a malicious link-shortening service used by other cybercriminals to evade detection while distributing malware.

The group uses a registered domain generating algorithm (RDGA) to create new domain names, a method commonly used by threat actors like VexTrio Viper and Revolver Rabbit for phishing, spam, and malware dissemination.

For instance, Revolver Rabbit is known to have registered over 500,000 domains on the “.bond” top-level domain (TLD) for more than $1 million, utilizing them as both active and decoy C2 servers for the XLoader (also known as FormBook) stealer malware.

Advanced Techniques

“The typical RDGA pattern used by this actor includes one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” noted Infoblox in a recent study. “Sometimes, the actor uses ISO 3166-1 country codes, full country names, or numbers representing years instead of dictionary words.”

RDGAs are more challenging to detect and combat than traditional DGAs because they allow threat actors to generate numerous domain names and register them for their malicious infrastructure, either all at once or incrementally.

“In an RDGA, the algorithm remains secret with the threat actor, who registers all the domain names,” says Infoblox. “In a typical DGA, the malware contains a discoverable mechanism, and most domain names will not be registered. While DGAs are used solely for connecting to a malware controller, RDGAs are used for various nefarious purposes.”

Conclusion

The latest findings suggest a potential collaboration between two cybercriminal entities, indicating that Play ransomware operators might be leveraging Prolific Puma’s services to bypass security measures.

“ESXi environments are prime targets for ransomware attacks due to their essential role in business operations,” Trend Micro’s report concluded. “The ability to encrypt numerous VMs simultaneously and the critical data they hold make them highly attractive targets for cybercriminals.”