Understanding Play Ransomware's New Linux Variant Targeting ESXi

To help you understand this discovery in the context of the growing Linux ransomware threat and measures you can take to secure your systems against it, I'll break down how this ransomware has evolved and its infection mechanism and discuss best practices you can implement to protect against it.  

Understanding the Evolution of Play Ransomware

Since its discovery in June 2022, the Play ransomware group has earned notoriety for employing double-extortion tactics and advanced evasion techniques to cause significant disruption across various sectors, particularly those in the US and Latin America. While historically associated with attacks against Windows systems running VMWare ESXi virtualization platforms, their recent expansion into Linux environments running VMWare ESXi signals an alarming trend because such environments often host critical business applications and data.

Infection Mechanism of the Linux Variant

The Linux variant of Play ransomware exhibits advanced evasion techniques and an attack strategy explicitly tailored for ESXi environments. Before executing its payload, this malware verifies whether or not it is running on an ESXi system; otherwise, it terminates and deletes itself immediately to minimize traces and reduce detection chances.

Once inside an ESXi environment, ransomware uses several shell script commands to initiate its attack. These commands, executed via the ESXi shell interface, include:

• Scanning and Powering Off VMs: The script detects all virtual machines (VMs) by running vim-cmd vmsvc/getallvms and powers them off using vim-cmd vmsvc/power.off.
• Setting Custom Welcome Messages: The malware modifies the welcome message of an ESXi host via the command esxcli system welcomemsg set -m=.
• Encryption: The ransomware can encrypt VM disk files, configuration files, and metadata files, which contain essential applications and user data that could otherwise halt business operations. It uses encryption techniques that encrypt files with ".PLAY" extensions and drops a ransom note in the root directory; this note also appears on the ESXi client login portal, locking administrators out until their ransom has been paid.

Evasion Techniques & Detection Challenges

The Play ransomware group's ability to bypass security measures is particularly alarming. The malware often comes compressed in RAR files alongside Windows variants to increase its chances of reaching its targets without being flagged by security systems.

PsExec, NetScan, WinSCP, WinRAR, and Coroxy backdoor tools associated with these ransomware infections reside on servers that are crucial parts of its infection chain. Tracking and neutralizing them remains challenging due to their widespread use in legitimate operations.

How Is the Play Ransomware Group Tied to Prolific Puma?

The Play ransomware group has been linked with Prolific Puma, an obscure cybercriminal group. Prolific Puma is notorious for producing domains using its Destination Generation Algorithm (DGA) that it sells to other cybercriminals to evade detection; domains linked with Prolific Puma infrastructure share numerous similarities in registration patterns and IP address resolution.

IP Address 108.61.142.190 hosts multiple tools used by Play ransomware and registers domain names like ztqs.info and zfrb.info through providers like Porkbun and NameCheap - evidence supporting a mutualistic relationship, where Play ransomware uses Prolific Puma's evasion services to expand its malicious activities.

Practical Mitigation Strategies for Protecting Against Ransomware Attacks on ESXi Environments

Given the sophisticated nature of the Play ransomware group and its Linux variant, administrators must employ a multi-layered defense strategy to protect ESXi environments from potential attacks. Here are some actionable mitigation strategies:

• Regular Backups: Critical data and configurations must be regularly backed up online or on separate network segments to prevent an attack from encrypting them. Backup verification should also occur regularly to ensure data integrity and rapid recovery capabilities.
• Patch Management: Maintain all systems, including VMWare ESXi, with the latest security patches to reduce vulnerability to ransomware.
• Network Segmentation: Implement network segmentation to limit malware's movement laterally across networks. Limit access to ESXi environments and critical systems only to personnel required and ensure proper security monitoring and incident response procedures are in place.
• Advanced Threat Detection: Utilize advanced threat detection and intrusion prevention systems. Review logs regularly for unusual activity and conduct regular security audits.
• Access Controls: Employ multi-factor authentication when accessing ESXi environments or critical systems. Limit the use of administrative privileges and regularly review access policies.
• User Education and Awareness: To increase employees' awareness of ransomware and phishing attacks, employees should be educated, and mock phishing exercises should be conducted. 

Our Final Thoughts on Combating the Growing Linux Ransomware Threat

Adopting these strategies, Linux administrators can reduce the risks posed by ransomware attacks and ensure the resilience of their ESXi environments. As ransomware tactics constantly evolve, staying informed and proactive is vital in protecting critical business operations from disruption.