New Linux Variant of Play Ransomware Targeting VMWare ESXi Systems

New Linux Variant of Play Ransomware Targeting VMWare ESXi Systems

July 22, 2024 at 12:24AM

A new Linux variant of the Play ransomware, known for double extortion tactics, has been discovered by Trend Micro researchers. This variant targets VMWare ESXi environments, expanding its potential victim pool. The ransomware has targeted industries such as manufacturing, IT, and retail, while collaborating with the services of Prolific Puma to evade detection.

Key takeaways from the meeting notes:
– A new Linux variant of the ransomware Play, known for double extortion tactics, has been discovered, suggesting a broader attack scope and an expanded victim pool.
– The ransomware has victimized over 300 organizations, with the U.S. having the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.
– The top industries affected include manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
– The Linux variant uses tools such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor in its attacks, and targets VMWare ESXi environments.
– The ransomware group is likely using services and infrastructure provided by Prolific Puma to evade detection and distribute malware, indicating potential collaboration between two cybercriminal entities.
– An analysis suggests that ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations and the efficiency of encrypting numerous VMs simultaneously.

Full Article