Cybersecurity researchers have discovery a new Linux variant of a ransomware strain known as Play (also known as Balloonfly and PlayCrypt) designed to target VMware ESXi environments.
Ransomware Play, the word from cybersecurity researchers
“This development suggests that the group may be expanding its attacks to the Linux platform, leading to a larger victim pool and more effective ransom negotiations.“, they have affirmed Trend Micro researchers in a report published on Friday.
Play, which appeared on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key; according to estimates released by Australia and the United States, the ransomware group has victimized approximately 300 organizations as of October 2023.
Statistics shared by Trend Micro for the first seven months of 2024 show that the United States is the country with the highest number of victims, followed by Canada, Germany, the United Kingdom, and the Netherlands.
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the industries most affected by Play ransomware during this period.
Play Analysis on Linux
The analysis of the Linux variant of Play by the cybersecurity firm comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as being used in previous attacks, such as PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor.
“While no actual infection has been observed, the command and control (C&C) server hosts common tools that the Play ransomware currently uses in its attacks.“, he has declared. “This could indicate that the Linux variant may employ similar tactics, techniques and procedures (TTPs)..”
The ransomware sample, once executed, ensures that it is running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including disk, configuration, and VM metadata files, appending them with the extension “.PLAY.” A ransom note is then dropped in the root directory.
Further analysis determined that the Play ransomware group is likely using services and infrastructure provided by Prolific Pumawhich offers a rogue link shortening service to other cybercriminals to help them evade detection when distributing malware.
In particular, it uses what is called a Registered Domain Generation Algorithm (RDGA) to create new domain names, a programmatic mechanism increasingly used by several attackers, including VexTrio Viper and Revolver Rabbit, for phishing, spam, and malware propagation.
Revolver Rabbit, for example, is believed to have registered over 500,000 domains on the top-level domain (TLD) “.bond” at an approximate cost of over $1 million, exploiting them as active C2 servers and decoys for the stealer malware XLoader (also known as FormBook).
“The most common RDGA pattern used by this cybercriminal is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a hyphen.“, Infoblox noted in a recent analysis. “Sometimes the cybercriminal uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words.“
RDGAs are much more difficult to detect and defend against than traditional DGAs because they allow cybercriminals to generate many domain names to register for use, either all at once or over time, in their criminal infrastructure.
“In an RDGA, the algorithm is a secret kept by cybercriminals, and they register all domain names“, Infoblox said. “In a traditional DGA, the malware contains an algorithm that can be cracked, and most domain names will not be registered. While DGAs are used exclusively for connecting to a malware controller, RDGAs are used for a wide range of malicious activities..”
The latest findings point to a potential collaboration between two cybercriminal groups, suggesting that the authors behind the Play ransomware are taking steps to bypass security protocols through Prolific Puma services.
“ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations.“, concluded Trend Micro. “The efficiency of encrypting numerous VMs simultaneously and the valuable data they contain further increases their attractiveness to cybercriminals..”
#Play #Notorious #Ransomware #Variant #Runs #Linux
