Play Ransomware Targets VMWare ESXi Environments

A new Linux variant of Play ransomware has been targeting VMWare ESXi environments. Businesses often use ESXi environments to run multiple virtual machines (VMs), typically hosting backup solutions, critical applications, and data storage. This new variant of Play ransomware still utilizes many of the same tactics, techniques, and procedures (TTPs) as prior Windows versions.
Play’s Linux infection chain. Image Source: Trend Micro
Play’s attacks begin with a phishing attack using shortened URLs received from Prolific Puma, a threat actor that provides link-shortening services for cybercriminals. Once in the system, Play runs specific commands to determine if it is running in an ESXi environment before performing malicious activities. The malware will terminate and delete itself if it is not in the correct environment. Upon successful connection, Play will run a series of shell commands that scan for and power off all VMs in the environment. After completing this process, Play will encrypt files, including the VM disk, configuration, and metadata files. Once encrypted, files will have the “.PLAY” extension appended to them. 
Play ransomware was first discovered in 2022 and is known for exfiltrating sensitive information from compromised systems and using double-extortion tactics to pressure victims into paying the ransom to prevent data leakage. In December, the FBI released a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) stating that Play had breached approximately 300 victims as of October 2023. A new report shows that from January to July 2024, Play ransomware has targeted 187 victims, with over 82 percent of the attacks based in the United States.
Recommendations
Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Avoid clicking links, responding to, or otherwise acting on unsolicited emails. Keep systems up to date and apply patches after appropriate testing. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.