Security experts have discovered a fresh Linux version of the Play ransomware (also known as Balloonfly or PlayCrypt) that specifically targets VMware ESXi systems.
You might be interested in: Risks of AI Training on Your Data
Expanding Attack Surface
“This development indicates that the group is potentially expanding its attack vectors on the Linux platform, thereby increasing its victim count and improving the likelihood of successful ransom payments,” Trend Micro researchers highlighted in a report published last Friday.
First seen in June 2022, Play ransomware is infamous for its dual-extortion tactics, which include encrypting systems after stealing sensitive data and then demanding a ransom for the decryption key. As of October 2023, the group has reportedly compromised up to 300 organizations in Australia and the United States.
Global Impact
Trend Micro’s data for the first seven months of 2024 shows the highest number of victims in the United States, followed by Canada, Germany, the United Kingdom, and the Netherlands.
The ransomware has significantly impacted various sectors, including manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
Technical Analysis
Trend Microโs investigation into the Linux variant of Play is based on a RAR archive found on an IP address (108.61.142[.]190). This archive also contains other tools known from previous attacks, such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
“Although no infections have been directly observed, the command-and-control (C&C) server hosts the usual tools Play ransomware employs in its attacks,” the report noted. “This suggests that the Linux variant might use similar tactics, techniques, and procedures (TTPs).”
Upon execution, the ransomware sample confirms it is running in an ESXi environment before it encrypts virtual machine (VM) files, adding the suffix “.PLAY.” A ransom note is then deposited in the root directory.
Criminal Collaboration
Further analysis indicates that the Play ransomware group is likely using services and infrastructure provided by Prolific Puma, a malicious link-shortening service used by other cybercriminals to evade detection while distributing malware.
The group uses a registered domain generating algorithm (RDGA) to create new domain names, a method commonly used by threat actors like VexTrio Viper and Revolver Rabbit for phishing, spam, and malware dissemination.
For instance, Revolver Rabbit is known to have registered over 500,000 domains on the “.bond” top-level domain (TLD) for more than $1 million, utilizing them as both active and decoy C2 servers for the XLoader (also known as FormBook) stealer malware.
Advanced Techniques
“The typical RDGA pattern used by this actor includes one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” noted Infoblox in a recent study. “Sometimes, the actor uses ISO 3166-1 country codes, full country names, or numbers representing years instead of dictionary words.”
RDGAs are more challenging to detect and combat than traditional DGAs because they allow threat actors to generate numerous domain names and register them for their malicious infrastructure, either all at once or incrementally.
“In an RDGA, the algorithm remains secret with the threat actor, who registers all the domain names,” says Infoblox. “In a typical DGA, the malware contains a discoverable mechanism, and most domain names will not be registered. While DGAs are used solely for connecting to a malware controller, RDGAs are used for various nefarious purposes.”
Conclusion
The latest findings suggest a potential collaboration between two cybercriminal entities, indicating that Play ransomware operators might be leveraging Prolific Puma’s services to bypass security measures.
“ESXi environments are prime targets for ransomware attacks due to their essential role in business operations,” Trend Micro’s report concluded. “The ability to encrypt numerous VMs simultaneously and the critical data they hold make them highly attractive targets for cybercriminals.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.