New Play ransomware Linux version targets VMware ESXi VMs

Play ransomware is the latest ransomware gang to start deploying a dedicated Linux locker for encrypting VMware ESXi virtual machines.

Cybersecurity company Trend Micro, whose analysts spotted the new ransomware variant, says the locker is designed to first check whether it's running in an ESXi environment before executing and that it can evade detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro said.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a known trend for years now, with most ransomware groups shifting focus towards ESXi virtual machines after enterprises switched to using them for data storage and hosting critical applications due to their much more efficient resource handling.

Taking down an organization's ESXi VMs will lead to major business operations disruptions and outages, while encrypting files and backups drastically reduces the victims' options to recover impacted data.

Play ransomware Linux attack flow (Trend Micro)

While investigating this Play ransomware sample, Trend Micro also found that the ransomware gang is using the URL-shortening services provided by a threat actor tracked as Prolific Puma.

After successfully launching, Play ransomware Linux samples will scan and power off all VMs found in the compromised environment and start encrypting files (e.g., VM disk, configuration, and metadata files), adding the .PLAY extension at the end of each file.

To power off all running VMware ESXi virtual machines so that they can be encrypted, Trend Micro says the encryptor will execute the following code:

As BleepingComputer found while analyzing it, this variant is designed to specifically target VMFS (Virtual Machine File System), which is used by VMware's vSphere server virtualization suite.

It will also drop a ransom note in the VM's root directory, which will be displayed in the ESXi client's login portal (and the console after the VM is rebooted).

Play ransomware Linux console ransom note (Trend Micro)

Play ransomware surfaced in June 2022, with the first victims reaching out for help in BleepingComputer's forums.

Its operators are known for stealing sensitive documents from compromised devices, which they use in double-extortion attacks to pressure victims into paying ransom under the threat of leaking the stolen data online.

High-profile Play ransomware victims include cloud computing company Rackspace, the City of Oakland in California, car retailer giant Arnold Clark, the Belgian city of Antwerp, and Dallas County.

In December, the FBI warned in a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) that the ransomware gang has breached approximately 300 organizations worldwide until October 2023.

The three government agencies advised defenders to activate multifactor authentication wherever possible, maintain offline backups, implement a recovery plan, and keep all software up to date.