A Newly Developed Linux Variant of the Play Ransomware Identified as a Threat to VMware ESXi Systems.
A Newly Developed Linux Variant of the Play Ransomware Identified as a Threat to VMware ESXi Systems.
A new Linux variant of a ransomware strain known as Play (also known as Balloonfly and PlayCrypt) has been identified by cybersecurity researchers. This variant is intended to target VMware ESXi environments.
Trend Micro researchers stated in a report released on Friday that this development indicates that the group may be expanding its attacks to include the Linux platform, which could result in a larger victim pool and more successful ransom negotiations.
Play, which emerged in June 2022, is renowned for its double extortion strategies. The company encrypts systems after exfiltrating sensitive data and then demands payment in exchange for a decryption key. Approximately 300 organizations have been affected by the ransomware group as of October 2023, according to estimates from the United States and Australia.
Trend Micro’s statistics for the initial seven months of 2024 indicate that the United States has the highest number of victims, with Canada, Germany, the United Kingdom, and the Netherlands following in that order.
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are among the industries that were most significantly impacted by the Play ransomware during the duration of the incident.
In addition to the RAR archive file, which is hosted on an IP address (108.61.142[.]190), the cybersecurity firm’s analysis of a Linux variant of Play includes other tools that have been identified as being used in previous assaults, including the Coroxy backdoor, WinSCP, WinRAR, PsExec, and NetScan.
“Though no actual outbreak has been noticed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks,” according to the report. “This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs).”
Upon execution, the ransomware sample confirms that it is operating in an ESXi environment before encrypting virtual machine (VM) files, including the VM disk, configuration, and metadata files, and appending the “.PLAY” extension. The root directory is then infiltrated with a ransom note.
The Play ransomware group is likely employing the services and infrastructure provided by Prolific Puma, which provides a clandestine link-shortening service to other cybercriminals to assist them in evading detection while distributing malware. This conclusion was reached through additional analysis.
In particular, it utilizes a registered domain generation algorithm (RDGA) to generate new domain names. This programmatic mechanism is being increasingly employed by a variety of threat actors, such as VexTrio Viper and Revolver Rabbit, to facilitate the propagation of malware, spam, and fraud.
For example, it is suspected that Revolver Rabbit registered over 500,000 domains on the “.bond” top-level domain (TLD) at an estimated cost of over $1 million. These domains were used as active and decoy C2 servers for the XLoader (aka FormBook) stealer malware.
“The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” according to a recent analysis conducted by Infoblox. “Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words.”
RDGAs are significantly more difficult to detect and defend against than traditional DGAs due to the fact that they enable threat actors to generate numerous domain names and register them for use in their illicit infrastructure, either simultaneously or over time.
“In an RDGA, the methodology is a secret maintained by the threat actor, and they register all the domain names,” according to Infoblox. “In a conventional DGA, the malware is equipped with an algorithm that can be identified, and the majority of the domain names will not be registered.” RDGAs are employed for a diverse array of harmful activities, whereas DGAs are exclusively employed for connection to a malware controller.
The most recent discoveries suggest that the Play ransomware perpetrators are attempting to circumvent security protocols by utilizing Prolific Puma’s services, which suggests a potential collaboration between two cybercriminal entities.
“ESXi platforms are high-value targets for attacks involving ransomware due to their vital function in business operations,” according to Trend Micro research. “The effectiveness of encoding multiple VMs simultaneously and the valuable information they hold further increase their lucrativeness for attackers.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More Article Here
Exploiting a CrowdStrike Update Mishap, Hacker Groups Spread Remcos RAT Malware.
CrowdStrike CEO issued an Apology for the Microsoft Windows Global Outage | Detailed Fix
About Author
English