December 20, 2024
New Linux Version of Play Ransomware Targeting VMware ESXi Systems

New Linux Version of Play Ransomware Targeting VMware ESXi Systems

Linux Play Ransomware

Cybersecurity researchers have discovered a new Linux version of the ransomware known as Play (aka Balloonfly and PlayCrypt) designed to target VMware ESXi environments.

“This development suggests that the group may expand its attacks on the Linux platform, leading to an expanded victim pool and more successful ransom negotiations,” Trend Micro researchers said in a report published on Friday. .

Play, which arrived at the event in June 2022, is known for its double hacking tactics, encryption systems after revealing sensitive information and demanding a payment for obtaining the decryption key. According to estimates released by Australia and the US, about 300 organizations have been victimized by the ransom group since October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the US is the country with the highest number of victims, followed by Canada, Germany, the UK and the Netherlands.

Cybersecurity

Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by Play ransomware during that period.

The cybersecurity firm’s analysis of the Linux version of Play comes from a RAR archive file hosted at the IP address (108.61.142)[.]190), which also contains other tools that have been shown to have been used in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

“Although no actual infection has been detected, the command and control (C&C) server provides common tools that Play ransomware currently uses in its attacks,” it said. “This would mean that the Linux version could use the same techniques, methods and procedures (TTPs).”

The boot sample, when created,​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​proves that it is running in an ESXi environment before proceeding to download the VM machine files, including the VM disk, configuration, and metadata files, and appending them with the ” .PLAY.” After that, the ransom note is uploaded to the root directory.

Further analysis found that the Play ransomware group may be using services and products sold by Prolific Puma, which provides a short link service to other criminals to help them avoid detection. while they distribute malware.

RDGAs

In particular, it uses the so-called domain generation algorithm (RDGA) to generate new domain names, a programming technique that is increasingly being used by several threat actors, including VexTrio Viper and Revolver Rabbit, for phishing, spam, and malware distribution.

Revolver Rabbit, for example, is believed to have registered more than 500,000 domains in the “.bond” top-level domain (TLD) at a cost of about $1 million, using them as active C2 servers and cheat for XLoader (aka. FormBook) stealing malware.

“The most common form of RDGA that this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” Infoblox noted in a recent review. “Sometimes the player uses ISO 3166-1 country codes, full country names, or age-matched numbers instead of dictionary terms.”

RDGAs are more difficult to detect and defend against than traditional DGAs because they allow threat actors to generate multiple domain names to register for use – either immediately or later. a time – in their criminal activities.

“In RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names,” Infoblox said. “Traditional DGA, malware has an algorithm that can be detected, and most domain names cannot be registered. While DGAs are used only for coordinating with the malware controller, RDGAs are used for many evil deeds.”

Recent investigations show possible collaboration between two cybercriminal organizations, suggesting that Play ransomware actors are taking steps to breach security regulations through services of Prolific Puma.

“ESXi environments are prime targets for ransomware attacks because of their critical role in business operations,” Trend Micro concluded. “The ability to host multiple VMs at the same time and the critical information they contain increases their profitability for cybercriminals.”

Did you find this article interesting? Follow us forward Twitter ï‚™ and LinkedIn to read the unique content we write.


#Linux #Version #Play #Ransomware #Targeting #VMware #ESXi #Systems

Leave a Reply

Your email address will not be published. Required fields are marked *