In a significant development in the cyber security landscape, Trend Micro has identified that the Play ransomware group has started deploying a specialised Linux locker aimed at encrypting VMware ESXi virtual machines. This marks a new phase in the ransomware's evolution, posing an increased threat to organisations utilising these environments.
Targeting ESXi Environments
Trend Micro’s analysts have noted that the Play ransomware variant is engineered to detect its execution within an ESXi environment before initiating its malicious activities. This sophisticated approach allows the ransomware to evade detection on Linux systems effectively.
Broadening Attack Vectors
"This is the first instance of Play ransomware specifically targeting ESXi environments," Trend Micro reported. This new tactic indicates that the group is expanding its reach across Linux platforms, potentially increasing the number of victims and improving their chances of successful ransom negotiations.
A Growing Trend in Ransomware Attacks
The shift towards targeting ESXi virtual machines has been observed for several years. Enterprises have increasingly adopted ESXi for data storage and hosting critical applications due to its efficient resource management. Consequently, ransomware groups are focusing on these environments to maximise disruption and coercion. Attacking ESXi VMs can severely impact business operations, and encrypting files and backups leaves organisations with limited recovery options.
Technical Details and Execution
During their investigation, Trend Micro discovered that Play ransomware uses URL-shortening services provided by a threat actor known as Prolific Puma. Once deployed, the ransomware scans and powers off all virtual machines in the compromised environment before starting the encryption process. The encrypted files, including VM disk, configuration, and metadata files, are tagged with a .PLAY extension.
To power off VMware ESXi virtual machines for encryption, the ransomware executes the following code:
/bin/sh -c "for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd vmsvc/power.off $vmid; done"
This variant specifically targets the VMFS (Virtual Machine File System) used by VMware's vSphere server virtualisation suite. A ransom note is also dropped in the VM's root directory, which is displayed in the ESXi client's login portal and console upon reboot.
History and Impact of Play Ransomware
Play ransomware emerged in June 2022, with its first victims seeking assistance on BleepingComputer's forums. The operators are notorious for stealing sensitive data from compromised devices, utilising double-extortion tactics to coerce victims into paying ransoms under the threat of data leaks.
Prominent victims of Play ransomware include cloud computing company Rackspace, the City of Oakland in California, car retailer Arnold Clark, the Belgian city of Antwerp, and Dallas County. In December, a joint advisory from the FBI, CISA, and the Australian Cyber Security Centre (ACSC) warned that the ransomware gang had breached approximately 300 organisations worldwide by October 2023.
Defensive Measures
In response to this evolving threat, the advisory from the three government agencies recommends activating multifactor authentication wherever possible, maintaining offline backups, implementing a robust recovery plan, and ensuring all software is up to date.
To Sum Up
The discovery of Play ransomware's new Linux locker for ESXi environments underscores the increasing sophistication and adaptability of ransomware groups. Organisations must stay vigilant and implement comprehensive cyber security measures to protect against these evolving threats.
