Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.
"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."
This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.
While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma.
After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted.
The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.
Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.