Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
Summary:
Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks. Similar to its Windows variant, the new variant supports commands to encrypt drives, files, and network-shared resources. Notably, the Linux variant is capable of checking whether it is running in an ESXi environment before performing its malicious routines. If no such environment is detected, the strain will proceed to terminate and delete itself.
Security Officer Comments:
Upon examining the URL used to host Play ransomware, researchers uncovered a connection to another threat group called Prolific Puma, which is known to generate domain names using a random destination generator algorithm (RDGA) and utilize them to offer a link-shortening service to fellow cybercriminals. Notably, a shortened link created by Prolific Puma correlated with the observed IP address associated with Play ransomware, suggesting that Play may be seeking to enhance its capabilities in circumventing defensive security protocols through Prolific Puma’s services.
Suggested Corrections:
The creation of a new Linux-based variant indicates that operators of Play ransomware are aiming to broaden their list of potential targets. To defend against potential attacks, Trend Micro recommends:
https://www.trendmicro.com/en_us/re...x-variant-targets-esxi-shows-ties-with-p.html
Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks. Similar to its Windows variant, the new variant supports commands to encrypt drives, files, and network-shared resources. Notably, the Linux variant is capable of checking whether it is running in an ESXi environment before performing its malicious routines. If no such environment is detected, the strain will proceed to terminate and delete itself.
Security Officer Comments:
Upon examining the URL used to host Play ransomware, researchers uncovered a connection to another threat group called Prolific Puma, which is known to generate domain names using a random destination generator algorithm (RDGA) and utilize them to offer a link-shortening service to fellow cybercriminals. Notably, a shortened link created by Prolific Puma correlated with the observed IP address associated with Play ransomware, suggesting that Play may be seeking to enhance its capabilities in circumventing defensive security protocols through Prolific Puma’s services.
Suggested Corrections:
The creation of a new Linux-based variant indicates that operators of Play ransomware are aiming to broaden their list of potential targets. To defend against potential attacks, Trend Micro recommends:
- Regular patching and updates: Keep the ESXi environment and associated management software up to date to protect against known vulnerabilities.
- Virtual patching: Many organizations may not patch or update their ESXi environments as frequently as they should due to complexity, downtime concerns, resource constraints, operational priorities, or compatibility issues. Virtual patching helps by applying security measures at the network level to protect vulnerable systems, mitigating risks without needing to alter the underlying software immediately.
- Addressing inherent misconfigurations: Regularly audit and correct misconfigurations within ESXi environments, as these can create vulnerabilities that ransomware can exploit. Implementing strong configuration management practices can help ensure that settings adhere to security best practices and reduce the risk of exploitation.
- Strong access controls: Implement robust authentication and authorization mechanisms, such as multifactor authentication (MFA), and restrict administrative access.
- Network segmentation: Segregate critical systems and networks to limit the spread of ransomware.
- Minimized attack surface: Disable unnecessary and unused services and protocols, restrict access to critical management interfaces, and implement strict firewall rules to limit network exposure. VMWare provides various guidelines and best practices on how to secure ESXi environments.
- Regular offline backups: Maintain frequent and secure backups of all critical data. Ensure that backups are stored offline and tested regularly to verify their integrity.
- Security monitoring and incident response: Deploy solutions and develop an incident response plan to promptly and proactively address suspicious activities.
https://www.trendmicro.com/en_us/re...x-variant-targets-esxi-shows-ties-with-p.html