Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?
Play Ransomware Expands to Linux: A New Nightmare for VMware ESXi Users
Cybersecurity researchers have identified a new Linux variant of the Play ransomware targeting VMWare ESXi environments. Known for double extortion tactics, Play ransomware has expanded its reach, affecting numerous industries and increasing its victim pool. The Linux variant shares similar tactics, posing a significant threat…
Hot Take:
Looks like cybercriminals are playing a dangerous game of cat and mouse with VMware ESXi environments, and they’ve just found a new playground. If your servers could talk, they’d probably be screaming louder than a toddler in a toy store.
Key Points:
- New Linux variant of Play ransomware targets VMware ESXi environments.
- Play ransomware has victimized around 300 organizations as of October 2023.
- Top affected industries include manufacturing, IT, retail, and financial services.
- Play ransomware uses command-and-control servers with common cyberattack tools.
- Collaboration between Play ransomware actors and Prolific Puma to evade detection.
Virtual Playground
Cybersecurity researchers have uncovered a new Linux variant of the infamous Play ransomware, now targeting VMware ESXi environments. It’s like the kid who brings the latest toy everyone wants to play with, except this toy encrypts your virtual machines and demands a ransom. Trend Micro’s report suggests that Play ransomware is broadening its attacks, likely expanding its pool of victims and boosting its ransom-earning potential. If you think your ESXi servers are safe, think again—they might end up as the next hot commodity in a cybercriminal’s shopping cart.
Double Trouble
Play ransomware is no newbie; since June 2022, it’s been making headlines for its double extortion tactics. After exfiltrating sensitive data, Play encrypts systems and demands a hefty payment in exchange for a decryption key. According to estimates from Australia and the U.S., this cyber-Scrooge has already victimized about 300 organizations by October 2023. Victims span a variety of industries: manufacturing, IT, retail, financial services, and more. So, if you’re in one of these sectors, you might want to tighten your cyber belts—things could get bumpy.
Tools of the Trade
Trend Micro’s deep dive into the Linux variant of Play ransomware revealed it comes packaged with a RAR archive file hosted on a suspicious IP address. The archive contains tools that would make any cyber-baddie giddy, including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor. While no actual infection has been observed yet, the command-and-control servers involved are already hosting these tools, suggesting the Linux variant might follow similar attack patterns. It’s like finding a villain’s toolkit in a comic book—except this time, the threat is very real.
Virtual Kidnapping
Once executed, the Play ransomware ensures it’s operating in an ESXi environment before it starts its dirty work. It encrypts virtual machine files, including VM disk, configuration, and metadata files, and appends them with the “.PLAY” extension. As if adding insult to injury, a ransom note is also conveniently dropped in the root directory. This is virtual kidnapping at its finest, folks—your VMs are the hostages, and the ransom note is the demand letter. Yikes!
Cybercriminal Networking
Further analysis shows that the Play ransomware gang might be getting a helping hand from Prolific Puma, an illicit link-shortening service that aids in evading detection while spreading malware. Prolific Puma employs a registered domain generation algorithm (RDGA) to create new domain names programmatically. This method is increasingly popular among threat actors like VexTrio Viper and Revolver Rabbit, who use it for phishing, spam, and malware distribution. Revolver Rabbit, for instance, has reportedly registered over 500,000 domains on the “.bond” top-level domain, spending more than $1 million. Talk about commitment to the dark side.
Pattern Recognition
Infoblox’s recent analysis identified a common RDGA pattern used by these cybercriminals: a series of one or more dictionary words followed by a five-digit number, separated by dashes. Sometimes, they even throw in ISO 3166-1 country codes, full country names, or years in place of dictionary words. RDGAs are harder to detect and defend against compared to traditional domain generation algorithms (DGAs). While DGAs are used exclusively for connecting to a malware controller, RDGAs have a broader range of malicious applications. Essentially, it’s like giving cybercriminals a Swiss Army knife instead of just a single blade.
Collaboration Station
The latest findings point to a potential collaboration between the Play ransomware crew and Prolific Puma, suggesting they’re teaming up to
Already a member? Log in here