Executive Summary
A Linux variant of Play ransomware has been observed that is capable of targeting ESXi environments.
Key Takeaways
- A Linux variant of Play ransomware has been observed that is capable of targeting ESXi environments.
- VMWare ESXi environments often play a critical role in business operations.
- The malware runs commands to check that it is running in an ESXi environment before performing malicious activities.
- If an ESXi environment is not detected, the malware terminates and deletes itself.
What is Play?
A Linux variant of Play ransomware has been observed that is capable of targeting ESXi environments. Trend Micro recently reported on this variant.
Play ransomware group has been active since mid-2022. Play ransomware, also known as Balloonfly and PlayCrypt, was included in our list of Polyswarm’s 2024 Malware to Watch. Due to the group’s momentum in late 2023 and the availability of Play-as-a-service, our analysts expected it to be an emerging and evolving threat in 2024.
Play ransomware is known to use double extortion tactics. In the past, their targets have primarily been in North America, South America, and Europe. Past targets have included entities in the government, financial, legal, software, shipping, law enforcement, and logistics verticals.
Play has evolved in the short time it has been on the threat landscape. In early 2023, Play was observed using new custom data-gathering tools, making data exfiltration for extortion more effective. By October 2023, the FBI noted Play had amassed at least 300 victims. In November 2023, industry researchers noted that Play was being sold as a service. In December, it was one of the most active ransomware families. The ransomware has continued to be active throughout 2024. Play’s most recent move in 2024 is a new Linux variant capable of targeting VMWare ESXi environments, which often play a critical role in business operations.
The initial attack vector can include the threat actor using valid accounts to access an environment or using phishing techniques to bait a victim into visiting the site that hosts the malware. The Play Linux variant is delivered in a compressed RAR file alongside its Windows variant. It is hosted on a server known to host other tools used by Play ransomware group. It is interesting to note that Trend Micro has linked the C2 to a threat actor known as Prolific Puma.
The Linux variant of Play is capable of evading security detections. It runs commands to check that it is running in an ESXi environment before performing malicious activities. If an ESXi environment is not detected, the malware terminates and deletes itself. Additionally, the Linux variant uses a series of shell script commands to scan and power off any VMs found within the environment. The malware sets a custom Welcome message on the ESXi host then encrypts the VM files, including the disk, configuration, and metadata files. The .PLAY extension is appended to encrypted files. The ransomware also drops a ransom note in the root directory.
IOCs
PolySwarm has a sample of the Linux variant of Play.
7a55c8391fda90a5d4653fdebe2d685edb662859937e14b6756f45e29b76901d
You can use the following CLI command to search for all Play samples in our portal:
$ polyswarm link list -f Play
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
