One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8540519 |
| Date de publication | 2024-07-19 21:17:33 (vue: 2024-07-19 22:07:49) |
| Titre | Play Ransomware Group\'s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma |
| Texte | ## Snapshot Trend Micro\'s Threat Hunting team discovered a Linux variant of [Play ransomware](https://security.microsoft.com/intel-profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e) that targets files only in VMWare ESXi environments. ## Description First detected in June 2022, Play ransomware is known for its double-extortion tactics and custom-built tools, impacting many organizations in Latin America. According to Trend Micro, this marks the first instance of Play ransomware attacking ESXi environments, indicating a potential broadening of targets across the Linux platform, which could increase their victim pool and ransom negotiation success. VMWare ESXi environments host multiple virtual machines (VMs) and critical applications, making them prime targets. Compromising these can disrupt business operations and encrypt backups, hindering data recovery efforts. The Play ransomware variant was found compressed with its Windows counterpart in a RAR file on a malicious URL, showing zero detections on VirusTotal. The infection chain involves several tools, including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor. The ransomware runs ESXi-specific commands, turning off VMs before encrypting critical files, which are appended with the ".PLAY" extension. A ransom note is then displayed in the ESXi client login portal. The Linux variant of Play ransomware uses a command-and-control server hosting common tools for its attacks, potentially employing similar tactics to its Windows variant. The IP address associated with the ransomware is linked to another threat actor, Prolific Puma, known for generating domain names and providing link-shortening services to cybercriminals. The shared infrastructure between Play ransomware and Prolific Puma suggests a collaboration, enhancing Play ransomware\'s ability to evade detection and bolster its attack strategies. ## Microsoft Analysis Microsoft has been tracking deployment of Play ransomware since August 2022 and attributes all Play ransomware deployments to [Storm-0882](https://security.microsoft.com/intel-profiles/c04feb84dd2e6f360e482dc8a608da3b4e749cd651cab8d209326ae35522c6d5) (DEV-0882). The group primarily accesses targets through exploitation of internet-facing systems, including using compromised credentials to access exposed Remote Desktop Protocol (RDP) and [Microsoft Exchange Server](https://security.microsoft.com/intel-explorer/articles/692dd201) systems. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - *[Behavior:Win32/Play](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Play.F&threatId=-2147130447)* - *[Behavior:Win32/Ransomware!Play](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Ransomware!Play.A&threatId=-2147136108)* - *[Ransom:Win32/Play](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Play.D&threatId=-2147130524)* - [*Ransom:Linux/Playde*](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Linux/Playde!MTB) ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Harden internet-facing assets and identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [Microsoft Defender External Attack Surface Management](https://www.microsoft.com/security/business/cloud-security/microsoft-defender-external-attack-surface-management), can be used to augment data. The Attack Surface Summary dashboard both surfaces assets such as Exchange servers which require security updates as well as provides recommended remediation steps. - Secure RDP or Windows Virtual Desktop endpoints with multifactor authenti |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© *ransom:linux/playde* 0882 2022 2024 2024** 2147130447 2147130524 2147136108 365/security/defender 496d a&threatid= ability access accessed accesses according across action actor ad3c address admin advanced advice against age alert alerts all allow america analysis another antivirus any appended applications are artifacts assets associated as attack attacker attackers attacking attacks attributes augment august authentication automated backdoor backups based been before behavior:win32/play behavior:win32/ransomware behind between block bolster both breach breaches broadening brute built business c6a795a33c27/analystreport can card chain changes check classes client cloud collaboration com/en com/intel com/microsoft com/security/business/cloud com/threatanalytics3/05658b6c command commands common components compressed compromised compromising content control copyright coroxy could counterpart cover credential credentials criterion critical custom customers cybercriminals d&threatid= dashboard data dc62 defender delivered deployment deployments description desktop detect detected detection detections detections/hunting detects dev developing discovered displayed disrupt distribution doesn domain don double edr effective efforts employing enable enable encrypt encrypting encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent endpoints enhancing ensure entire environments equivalent esxi evade even evolving exchange executable exploitation explorer/articles/692dd201 exposed extension external extortion f&threatid= facing file files first following force found from full gateway generating group harden hardening has have hindering holistic host hosting html https://learn https://security https://www huge hunting hygiene identify immediate impact impacting including increase indicating infection infrastructure instance interfaces internet investigation investigations involves its june known latin learndoc learndoc#block learndoc#use learning level link linked linux list local login machine machines majority making malicious malware: management many marks meet mfa micro microsoft might mitigations mode monitored mtb multifactor multiple name=behavior:win32/play name=behavior:win32/ransomware name=ransom:linux/playde name=ransom:win32/play names negotiation netscan network new nla non note ocid=magicti off only on operations organizations our overview part passive password passwords perimeter permission platform play pool portal post posture potential potentially prevalence prevent primarily prime product profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e profiles/c04feb84dd2e6f360e482dc8a608da3b4e749cd651cab8d209326ae35522c6d5 prohibited prolific protection protections protocol provides providing psexec public puma queries randomized ransom ransom:win32/play ransomware rapidly rar rdp read recommendations recommended recommends recovery reduce reducing reduction reference references remediate remediation remote reproduction require reserved resolve response rights rules running runs run scanning scenes secure security security/microsoft server servers services settings several shared shortening showing shows sight significantly similar since site snapshot specific spray status steps stopping storm strategies strong success such suggests summary surface surfaces sweeping systems tactics take tamper targets team techniques them then thereof these threat threats through ties tools tracking trend trendmicro trusted turn turning unknown unless updates url us/research/24/g/new us/wdsi/threats/malware use used uses using variant variants victim virtual virustotal vms vmware volume well when which windows winrar winscp without works written your zero features for in |
| Tags | Ransomware Malware Tool Threat Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.