Play Ransomware Variant Attacking Linux ESXi Servers


Since ESXi servers host multiple virtual machines, which attract the threat actors most, a successful breach of these servers could enable threat actors to gain access to a multitude of valuable data and control over entire network environments.

Besides this, successful exploitation could enable them to simultaneously deploy ransomware across numerous systems and cause operational and financial damage to organizations.

EHA

Cybersecurity researchers at TrendMicro recently discovered that Play ransomware’s Linux variant has been actively attacking the ESXi servers.

Play Ransomware ESXi Servers

A Linux variant of Play ransomware, targeting VMWare ESXi environments, was discovered by a threat-hunting team.

Following this development, it is possible that Play now attacks Linux systems, consequently making its potential victims more diverse.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

It is malware that escapes detection and operates only if it detects the presence of an ESXi environment.

It also turns off the system for all VMs and alters the messages received after rebooting to make it appear that nothing has gone wrong, all through ESX-specific commands.

Consequently, it renames encrypted files with a .PLAY extension and leaves a ransom note behind.

This means that Play has adopted new strategies aimed at attacking mission-critical virtualization infrastructure, which has led to significant operational disruptions and complicated data recovery efforts.

Infection chain (Source – Trend Micro)

An investigation into the hosting infrastructure of Play ransomware revealed ties to Prolific Puma. This cyber threat actor is reputed for selling link-shortening software to other internet threat actors.

The IP address that hosts the toolkit of Play ransomware resolves to domains matching the random domain generation algorithm (RDGA) pattern typical for Prolific Puma.

Accessing different domains shows the same message about link-shortening services (Source – Trend Micro)

Further analysis on Coroxy, which is associated with Play, showed connections to IP addresses connected to Prolific Puma.

This demonstrates the possible use of a common network provider by both groups’ infrastructures, as they all share the same autonomous system number (ASN).

The IP address hosting the ransomware (left) and the IP address related to Prolific Puma (right) have similarities (Source – Trend Micro)

It consequently shows that there might be some collaboration between the two parties, and this implies that Prolific Puma may aid it in evading detection and spreading malware, which highlights the interconnectedness of threat actors.

Mitigations

Here below we have mentioned all the mitigations:-

  • Regularly patch and update ESXi environments.
  • Implement virtual patching for immediate risk mitigation.
  • Audit and correct ESXi misconfigurations.
  • Enforce strong access controls with MFA.
  • Segment critical systems and networks.
  • Minimize attack surface by disabling unnecessary services.
  • Maintain and test regular offline backups.
  • Deploy security monitoring and develop incident response plans.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo



Source link