Cyber researchers uncover Play ransomware expanding its reach
Cybersecurity researchers at Trend Micro have uncovered a concerning development – a new Linux variant of the notorious Play ransomware. According to their analysis, this variant appears designed to target VMware ESXi servers, allowing the attackers to potentially encrypt numerous virtual machines simultaneously and demand ransom payments.
Play ransomware first emerged in mid-2022 and has since victimized an estimated 300+ organizations worldwide, according to statistics from authorities in Australia and the United States.
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate have all been top industries affected by Play over the past year and a half.
Notably, Play employs double extortion tactics – stealing and threatening to leak sensitive files in addition to encrypting systems until a ransom is paid.
This new Linux variant shares similarities in tactics, techniques and procedures (TTPs) with previous Windows-based Play attacks. Upon execution, it ensures it is running on an ESXi server before proceeding to encrypt VM disk, configuration and metadata files with the “.PLAY” extension.
Trend Micro’s researchers discovered the Linux ransomware sample packaged in a RAR archive, along with common post-exploitation and data theft tools typically leveraged after initial Play compromises.
The archive was hosted on a server (108.61.142[.]190) that also contained previous Play tools such as PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor.
Play ransomware expands operations through affiliate programs
Further analysis linked the Play ransomware group to services offered through the prolific “Prolific Puma” affiliate program, which provides cybercriminals link-shortening and infrastructure to evade detection while distributing malware at scale.
Prolific Puma employs registered domain generation algorithms (RDGAs) to spin up vast numbers of new domains programmatically, an increasing tactic used by threats like VexTrio’s Viper and Revolver Rabbit malware families as well.
This suggests collaboration between the Play ransomware operators and Prolific Puma, indicating efforts to bypass security via the affiliate’s domain generation and hosting abilities. ESXi servers represent high-value ransomware targets due to their critical functions in businesses.
The efficiency of encrypting multiple virtual machines simultaneously further increases profit potential for cybercriminals willing to target VMware environments specifically.
As Play ransomware continues diversifying its tactics, expanding to Linux and cultivating affiliate relationships, organizations face an evolving threat that can potentially disrupt entire virtual infrastructures at once through compromise of a single ESXi host.
Trend Micro warns this development foreshadows an expanded victim pool and greater success in ransom negotiations going forward for this dangerous ransomware strain. Close monitoring of Play’s developments as well as hardened security on virtualization platforms remains critically important.
