Trend Micro threat hunters uncovered a Linux variant of the Play ransomware that targets VMware ESXi environments and appears connected to Prolific Puma infrastructure. This development expands Play’s reach to Linux/ESXi and suggests collaboration or shared tooling with Prolific Puma, including a linked toolkit and domain/DGA activity. #PlayRansomware #ProlificPuma #ESXi #CoroxyBackdoor
Keypoints
- The Play ransomware group released a Linux variant that explicitly checks for an ESXi environment before encrypting files.
- The Linux variant targets VM-related files (VM disks, configuration, metadata) and appends the .PLAY extension to encrypted files, with a ransom note placement in the ESXi root and login portal.
- VirusTotal shows the Linux sample as undetected, indicating evasion of security tooling.
- Infection relies on ESXi-specific commands (vim-cmd, esxcli) to operate, including powering off VMs and setting a custom welcome message.
- Play’s Linux variant uses a shared toolset and infrastructure reportedly hosted by Prolific Puma (PsExec, NetScan, WinRAR, Coroxy backdoor, etc.).
- Evidence of collaboration includes DGAs and multiple domains resolving to a single IP, tying Play activity to Prolific Puma’s domain ecosystem.
- Trend Micro provides mitigations for ESXi environments and threat-hunting queries in Vision One to detect Linux/PLAY activity.
MITRE Techniques
- [T1568.002] Dynamic Resolution: Domain Generation Algorithms – The ransomware infrastructure uses domain generation algorithms (DGAs) to create domains for C2 communication, as evidenced by Prolific Puma’s domain activities. “The ransomware infrastructure uses domain generation algorithms (DGAs) to create domains for C2 communication, as evidenced by Prolific Puma’s domain activities.”
- [T1105] Ingress Tool Transfer – The ransomware downloads and executes tools from malicious domains, including PsExec, NetScan, WinRAR, and others. “downloads and executes tools like PsExec, NetScan, WinRAR, and others from malicious domains.”
- [T1570] Lateral Tool Transfer – The Play ransomware may transfer tools like PsExec, NetScan, and others across the network to facilitate its attack. “The Play ransomware may transfer tools like PsExec, NetScan, and others across the network to facilitate its attack.”
- [T1059.004] Command and Scripting Interpreter: Unix Shell – The ransomware uses Unix shell commands to execute its payload and control the ESXi environment. “The ransomware uses Unix shell commands to execute its payload and control the ESXi environment.”
- [T1046] Network Service Discovery – The ransomware uses commands like vim-cmd and esxcli to discover and interact with services on the ESXi environment. “The ransomware uses commands like vim-cmd and esxcli to discover and interact with services on the ESXi environment.”
- [T1083] File and Directory Discovery – The ransomware scans for files and directories to encrypt, specifically targeting VM files and configurations. “The ransomware scans for files and directories to encrypt, specifically targeting VM files and configurations.”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and VM files within the ESXi environment to disrupt operations and demand a ransom. “encrypts files and VM files within the ESXi environment to disrupt operations and demand a ransom.”
- [T1491.001] Defacement: Internal Defacement – The ransomware alters system messages or displays ransom notes to inform the victim of the encryption and extortion. “Defacement: Internal Defacement.”
- [T1489] Service Stop – The ransomware stops ESXi services and powers off VMs as part of its attack to maximize impact and prevent recovery. “The ransomware stops ESXi services and powers off VMs as part of its attack to maximize impact and prevent recovery.”
- [T1041] Exfiltration over C2 Channel – The ransomware may exfiltrate data over its command and control channels, especially when encrypting or managing VM files. “Exfiltration over C&C Channel.”
- [T1070.004] File Deletion – The ransomware deletes specific files or logs to avoid detection or cleanup after executing its payload. “File Deletion.”
Indicators of Compromise
- [File Hash] 2a5e003764180eb3531443946d2f3c80ffcb2c30 – ELF Binary
- [URL] hxxp://108.61.142.190/FX300.rar – Hosting URL for Play Ransomware Binary
- [IP Address] 108.61.142.190 – Observed hosting IP for payload/tooling
- [URL] hxxp://108.61.142.190/1.dll.sa – Hosting URL for Coroxy Backdoor
- [URL] hxxp://108.61.142.190/64.zip – Hosting URL for NetScan
- [URL] hxxp://108.61.142.190/winrar-x64-611.exe – Hosting URL for WinRAR
- [URL] hxxp://108.61.142.190/PsExec.exe – Hosting URL for PsExec
- [URL] hxxp://108.61.142.190/host1.sa – Hosting URL for Coroxy Backdoor
- [Domain] ztqs.info – Domain (RDGA) used in Prolific Puma activity
- [Domain] zfrb.info – Domain (RDGA) used in Prolific Puma activity
- [Domain] xzdw.info – Domain (RDGA) used in Prolific Puma activity
- [Domain] iing.info – Domain (RDGA) used in Prolific Puma activity