A new Linux variant of the infamous Play Ransomware, also known as Balloonfly and PlayCrypt, was recently discovered. This variant targets VMware ESXi environments, indicating a strategic shift by the threat actors involved. Review this Cybersecurity Threat Advisory for recommendations to mitigate your risk.
What is the threat?
Two cybercriminal groups, Play Ransomware and Prolific Puma, are potentially collaborating to target VMware ESXi environments to deploy ransomware attacks. Research shows a Linux version of Play Ransomware originated from a RAR archive file hosted on an IP address. This archive also contains additional tools such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used in previous attacks. The command-and-control (C&C) server houses the tools currently used by Play Ransomware in its operations, although no actual infections have been observed yet.
Before an attack is deployed, the ransomware variant first verifies that it is operating in an ESXi environment before encrypting virtual machine (VM) files, such as VM disk, configuration, and metadata files, appending the suffix “.PLAY” to them. It then places a ransom note in the root directory.
Then the attack will use a mechanism known as a registered domain generation algorithm (RDGA) to create new domain names. Threat actors like Revolver Rabbit and VexTrio Viper increasingly use this mechanism to propagate malware, spam, and phishing attacks. Revolver Rabbit’s preferred RDGA pattern consists of a string of one or more dictionary terms followed by a five-digit number, with a dash between each word and number. Occasionally, the actor uses ISO 3166-1 country codes, full country names, or year-specific numbers instead of dictionary terms. RDGAs allow threat actors to generate and register multiple domain names for use in their criminal infrastructure, making them much harder to detect and combat than standard DGAs.
In an RDGA, the threat actor registers every domain name and keeps the algorithm secret. In contrast, a conventional DGA typically has many unregistered domain names, and its algorithm can be discovered. While DGAs are primarily used to connect to a malware controller, RDGAs can be used for various malicious activities.
Why is this noteworthy?
VMware ESXi environments play an integral role in business operations and houses high-value data. Additionally, the fact that a Linux version was found suggests that the ransomware group is expanding its attacks to include the Linux platform. This could potentially increase the number of victims and improve the chances of successful ransom negotiations. Play is renowned for its double extortion tactics. Since its debut in June 2022, the group has encrypted systems after accessing private information, demanding payment for the decryption key. As of October 2023, reports from the U.S. and Australia indicate that up to 300 enterprises have been affected by this ransomware group.
Research shows that United States had the highest number of ransomware victims during the first seven months of 2024, followed by Canada, Germany, the United Kingdom, and the Netherlands. Major sectors have been impacted by Play Ransomware during this period including manufacturing, professional services, construction, IT, retail, financial services, media, legal services, and real estate.
What is the exposure or risk?
VMWare ESXi environments are used by businesses to run multiple virtual machines (VMs). Businesses host critical applications and data, as well as the integrated backup solutions. By compromising ESXis, threat actors can disrupt business operations, encrypt their backups, making it more difficult for businesses to recover from the attack without paying the ransom.
What are the recommendations?
Barracuda recommends the following measures to reduce your company’s risk from this new ransomware variant:
- Block all known threat indicators in security controls
- Search for indicators of compromise (IOCs) within the environment
- Use reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms
- Implement strong password policies and consider using multi-factor authentication (MFA) to enhance access security.
- Implement a robust backup strategy with regular, automated backups of critical data. Store these backups securely offline or in an isolated environment to prevent encryption by ransomware
- Use strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas
- Establish continuous monitoring processes and conduct periodic security assessments to identify and address evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from incidents
References
For more in-depth information about the recommendations, please visit the following links:
- New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma
- New Linux Variant of Play Ransomware Targeting VMware ESXi Systems
- VMware ESXi Systems Targeted by New Play Ransomware Linux Variant
- Play Ransomware Expands to Target VMWare ESXi Environments
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.