ESXi environments targeted with new Linux variant ransomware strain

Recent research has shown the Play ransomware group, also known as PlayCrypt and Balloonfly, is deploying a Linux variant that targets ESXi environments. Play has displayed increases in activity throughout 2024, as the group was ranked the most prolific ransomware group in April of 2024. 

Security leaders weigh in

Jason Soroko, Senior Vice President of Product at Sectigo:

“Attackers targeting VMware ESXi environments pose a critical threat to enterprise infrastructure due to the hypervisor’s central role in managing virtualized resources. Compromising an ESXi server can lead to widespread disruption, as a single attack can incapacitate multiple virtual machines simultaneously, affecting core business operations and services. Play’s double extortion tactics, which involve encrypting and exfiltrating data, increase pressure on victims to pay ransoms. The inclusion of commonly used tools for lateral movement and persistence highlights the threat’s potency.”

Mr. Saumitra Das, Vice President of Engineering at Qualys:

“The growth in the public and virtualized cloud and its associated misconfigurations have also coincided with the growth in Linux malware. In fact, malware authors are increasingly moving to platform independent frameworks, such as using GoLang, to make their malware work on different operating systems as well as reuse the other command and control infrastructure around the malware. Linux malware is not as well studied as the Windows counterparts due their prevalence but organizations need to pay much more attention to them as these systems become increasingly targeted by attackers.”

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:

“The increasing popularity of cloud computing has led to a corresponding surge in Virtual Machine (VM) usage, consolidating multiple applications onto a single physical server. This consolidation not only enhances operational efficiency but also presents attackers with the opportunity to compromise a variety of services through a single breach. As VM deployment continues to expand within cloud environments, they become even more appealing targets due to their shared resources and complex configurations.

“VMWare instances, prevalent in enterprise infrastructure, are particularly attractive to attackers due to their critical role and widespread adoption. Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation.

“Effective protection strategies for virtualized and cloud environments extend beyond patching vulnerabilities. Organizations must enforce rigorous network segmentation to limit lateral movement, implement strong access controls and regularly audit for vulnerabilities. Security hardening practices, such as disabling unnecessary services and employing encryption, alongside robust incident response plans and comprehensive backup strategies, are crucial defenses. Administrators should always ensure they’re using a secure vault and secrets management solution, and they must apply necessary patches and updates as soon as possible. They should also check their cloud console’s security controls to ensure they’re following the latest recommendations.”