An analysis of a Linux version of Play by the cybersecurity firm comes from a RAR archive file housed on an IP address, which also contains additional tools including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor that have been known to be used in prior assaults. The command-and-control (C&C) server is home to the common tools that the Play ransomware presently uses in its operations, although no actual infection has been observed. This may indicate that the Linux version may use comparable tactics, techniques, and procedures (TTPs).

To encrypt virtual machine (VM) files, such as VM disk, configuration, and metadata files, the ransomware sample first verifies that it is operating in an ESXi environment before encrypting them and adds the suffix ".PLAY." to them. After that, a ransom note is dumped into the root directory. Subsequent investigation has shown that the Play ransomware gang is probably leveraging the infrastructure and services provided by Prolific Puma, which provides other cybercriminals with an illegal link-shortening service to assist them avoid detection while disseminating malware.

Specifically, it uses a programmed mechanism known as a registered domain generation algorithm (RDGA) to spin up new domain names. Revolver Rabbit and VexTrio Viper are two of the threat actors using this mechanism increasingly often to propagate malware, spam, and phishing attacks. For example, Revolver Rabbit is thought to have paid over $1 million to register over 500,000 domains on the ".bond" top-level domain (TLD), using them as both active and fictitious C2 servers for the stealer software XLoader (also known as FormBook).

This actor's preferred RDGA pattern consists of a string of one or more dictionary terms followed by a five-digit number, with a dash between each word and number. In place of dictionary terms, the actor will occasionally utilize ISO 3166-1 country codes, complete country names, or year-specific numbers. Because RDGAs enable threat actors to generate several domain names to register for usage - either all at once or over time - in their criminal infrastructure, they are far more difficult to detect and fight against than standard DGAs.

The threat actor in an RDGA registers every domain name and keeps the algorithm a secret. In a conventional DGA, the majority of the domain names won't be registered and the malware has an algorithm that can be found. RDGAs can be used for a variety of nefarious activities, whereas DGAs are only utilized to connect to a malware controller.

The most recent discoveries point to a possible partnership between two cybercriminals, implying that the perpetrators of the Play ransomware are attempting to get around security measures by using Prolific Puma's services. Because ESXi environments are essential to company operations, they are valuable targets for ransomware attacks. The ability to encrypt multiple virtual machines (VMs) at once and the valuable information they contain make them even more profitable for threat actors.

Impact

• Financial Loss
• File Encryption
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

IP

• 108.61.142.190

URL

• http://108.61.142.190/FX300.rar
• http://108.61.142.190/1.dll.sa
• http://108.61.142.190/64.zip
• http://108.61.142.190/winrar-x64-611.exe
• http://108.61.142.190/PsExec.exe
• http://108.61.142.190/host1.sa

MD5

• 1fa3574bb8f45497dbbf8421d0444428

SHA-256

• 7a55c8391fda90a5d4653fdebe2d685edb662859937e14b6756f45e29b76901d

SHA-1

• 2a5e003764180eb3531443946d2f3c80ffcb2c30

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security.
• Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms.
• Identify and address any vulnerabilities or weaknesses in the systems that were exploited during the breach. Apply security patches and updates to ensure the systems are up-to-date.
• Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.
• Implement strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas.
• Establish ongoing monitoring processes and conduct periodic security assessments to identify and address any evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from the incident.