A new variation of the Play ransomware, also known as Balloonfly and PlayCrypt, has been identified by cybersecurity experts. This specific version is tailored to exploit VMware ESXi environments.
A report released on Friday by Trend Micro researchers indicated that this evolution in the ransomware hints at a possible expansion of attacks on Linux systems. Such diversification could result in a wider array of targets and potentially enhance the effectiveness of ransom negotiations.
Play ransomware gained notoriety in June 2022 for its tactic of double extortion, wherein it encrypts data and extorts payment in exchange for a decryption key. Recent estimates from Australia and the U.S. suggest that around 300 organizations have fallen victim to this ransomware group as of October 2023.
Data provided by Trend Micro for the initial seven months of 2024 indicates that the U.S. has reported the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.
Various industries such as manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate have been significantly impacted by the Play ransomware during this period.
Research conducted by the cybersecurity firm delved into a Linux-based variant of the Play ransomware that was identified within a RAR archive hosted on an IP address (108.61.142[.]190). This archive contained several tools used in previous attacks, including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
Although no direct infections were observed, the archive’s command-and-control (C&C) server hosted common tools utilized by the Play ransomware group. This suggests that the Linux variant might adopt comparable tactics, techniques, and procedures (TTPs) in its operations.
Upon execution, the ransomware variant validates its presence in an ESXi environment before commencing the encryption process on virtual machine (VM) files. It encrypts various files, including VM disks, configurations, and metadata, and appends them with the extension “.PLAY.” A ransom note is then placed in the root directory.
Further investigations have hinted at the Play ransomware group leveraging services and infrastructure provided by Prolific Puma, a platform that offers illicit link-shortening services to aid cybercriminals in evading detection while disseminating malware.
The ransomware operation utilizes a registered domain generation algorithm (RDGA) to create new domain names. This is a technique increasingly employed by various threat actors, including VexTrio Viper and Revolver Rabbit, for activities like phishing, spam distribution, and malware spread.
Revolver Rabbit, for example, has purportedly registered over 500,000 domains under the “.bond” top-level domain (TLD) at an estimated cost exceeding $1 million. These domains are utilized as active and decoy C2 servers for the XLoader (or FormBook) stealer malware.
RDGAs pose a more intricate challenge in terms of detection and prevention compared to conventional DGAs due to enabling threat actors to generate and register numerous domain names for criminal infrastructure use, either simultaneously or progressively over time.
Infoblox remarked, “In an RDGA, the algorithm remains confidential to the threat actor, who then proceeds to register all domain names. In contrast, a traditional DGA algorithm is discoverable within the malware, leading to a higher proportion of unregistered domain names. While DGAs are mainly utilized for connecting to malware controllers, RDGAs serve a broader range of nefarious activities.”
Recent discoveries suggest potential collaboration between two illicit entities, indicating that the Play ransomware perpetrators are exploring methods to circumvent security measures through Prolific Puma’s services.
Trend Micro concluded, “Ransomware attacks targeting ESXi environments hold substantial value due to their critical role in business operations. The ransomware’s efficiency in encrypting multiple VMs simultaneously and the strategic importance of data within these environments make them lucrative targets for cybercriminals.”
About Author
