Cybersecurity researchers have discovered a new Linux variant of ransomware called Play (also known as Balloonfly and PlayCrypt) designed to target VMWare ESXi environments.
“This development suggests that the group may be expanding its attacks across Linux platforms, leading to a wider victim base and improved success of ransom negotiations,” Trend Micro researchers said in a report published on Friday.
Play, which appeared in June 2022, is known for its dual extortion tactics of stealing confidential data, encrypting systems, and demanding money in exchange for the decryption key. According to estimates released by Australia and the United States, as of October 2023, as many as 300 organizations have fallen victim to this ransomware group.
According to statistics published by Trend Micro for the first seven months of 2024, the country with the highest number of victims is the United States, followed by Canada, Germany, the United Kingdom and the Netherlands.
The main industries affected by Play ransomware during this period include manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
The cybersecurity firm’s analysis of the Linux version of Play came from a RAR archive file hosted on an IP address (108.61.142).[.]190) also includes other tools seen being used in previous attacks, including PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor.
“While no active infections have been observed, the command and control (C&C) servers host common tools currently used by the Play ransomware in attacks,” the company said. “This could indicate that the Linux variant may employ similar tactics, techniques, and procedures (TTPs).”
When the ransomware sample is executed, it checks that it is running in an ESXi environment, then encrypts Virtual Machine (VM) files such as VM disks, configuration and metadata files, appending the extension “.PLAY” to them, before dropping a ransom note in the root directory.
Further analysis revealed that the Play ransomware group is likely using services and infrastructure sold by Prolific Puma, a company that provides illegal link shortening services to other cybercriminals in order to evade detection while distributing malware.
Specifically, it creates new domain names using something called a Registered Domain Generation Algorithm (RDGA), a programmatic mechanism that is increasingly being used by several threat actors, including VexTrio Viper and Revolver Rabbit, for phishing, spam, and malware distribution.
For example, Revolver Rabbit is believed to have registered over 500,000 domains in the “.bond” top-level domain (TLD) at a cost of approximately $1 million or more and used them as active and decoy C2 servers for the XLoader (aka FormBook) stealing malware.
“The most common RDGA pattern used by this actor is one or more dictionary words followed by five digits, with each word or number separated by a dash,” Infoblox noted in a recent analysis. “In place of a dictionary word, actor’s may also use ISO 3166-1 country codes, full country names, or numbers corresponding to years.”
RDGAs are much more difficult to detect and prevent than traditional DGAs because threat actors can generate large numbers of domain names and register and use them all at once or over time within their criminal infrastructure.
“In RDGA, the algorithm is kept secret by the threat actor and all domain names are registered,” Infoblox said. “In traditional DGA, the malware contains the discoverable algorithm and most domain names are not registered. While DGA is only used to connect to the malware controller, RDGA is used for a range of malicious activities.”
The latest findings indicate possible cooperation between the two cybercrime groups, suggesting that the Play ransomware attackers are taking steps to circumvent security protocols through the Prolific Puma service.
“ESXi environments are high-value targets for ransomware attacks due to the critical role they play in business operations,” Trend Micro concludes. “The efficiency of encrypting large numbers of VMs simultaneously, and the valuable data stored therein, makes them even more profitable for cybercriminals.”
Did you find this article interesting? Follow us Twitter: To read more exclusive content we post, check us out on LinkedIn.
Source link
