Cyber security researchers have discovered a new variant of Linux ransomware known as to play (aka Balloonfly and PlayCrypt) which is designed for VMWare ESXi environments.
“These developments indicate that the group may be expanding its attacks on the Linux platform, leading to more victims and more successful ransom negotiations,” Trend Micro researchers said. said in a report released Friday.
Play, which appeared on the scene in June 2022, is known for its dual extortion tactics, encrypting systems after stealing sensitive data and demanding payment in exchange for a decryption key. According to estimates published by Australia and the United States, as of October 2023, about 300 organizations have fallen victim to the ransomware group.
Statistics shared by Trend Micro for the first seven months of 2024 show that the US is the country with the highest number of victims, followed by Canada, Germany, the UK and the Netherlands.
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services and real estate are among the main industries affected by Play ransomware during this period.
The cybersecurity company’s analysis of the Linux variant of Play was taken from a RAR archive located at the IP address (108.61.142(.)190), which also contained other tools identified as being used in previous attacks, such as PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor.
“Although no actual infection has been observed, the control (C&C) server hosts common tools that the Play ransomware is currently using in its attacks,” it said. “This may mean that the Linux variant may use similar tactics, techniques and procedures (TTP).”
After execution, the ransomware sample ensures that it is running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including the VM disk, configuration files, and metadata, and appending them with a “.PLAY” extension. The ransom note is then dropped into the root directory.
Further analysis revealed that the Play ransomware group likely uses services and infrastructure for sale Vintage Pumawhich offers an illegal link shortening service for other cybercriminals to help them avoid detection while distributing malware.
Specifically, it uses the so-called Registered Domain Generation Algorithm (RDGA) to generate new domain names, a software mechanism increasingly used by several threat actors, including VexTrio Viper and Revolver Rabbit for phishing, spam, and malware distribution.
Revolver Rabbit, for example, is believed to have registered more than 500,000 domains on the “.bond” top-level domain (TLD) with an estimated value of more than $1 million, using them as active and decoy C2 servers for XLoader (aka FormBook) stealing malware.
“The most common RDGA pattern used by this actor is a series of one or more vocabulary words followed by a five-digit number, with each word or number separated by a dash,” Infoblox noted in a recent analysis. “Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words.”
RDGAs are much more difficult to detect and defend than traditional DGAs because they allow threat actors to create many domain names to register for use – either immediately or over time – in their criminal infrastructure.
“With RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names,” Infoblox said. “In a traditional DGA, the malware contains an algorithm that can be detected, and most domain names will not be registered. While DGAs are used exclusively to connect to a malware controller, RDGAs are used for a wide variety of malicious activities. “
The latest findings point to potential collaboration between the two cybercriminals, suggesting Play ransomware actors are taking steps to bypass security protocols through Prolific Puma’s services.
“ESXi environments are valuable targets for ransomware attacks because of their critical role in business operations,” Trend Micro concluded. “The efficiency of encrypting many virtual machines simultaneously and the valuable data they store further increases their profitability for cybercriminals.”
