Date: 07/20/2024
Severity: High
Summary
The Play ransomware group, renowned for its dual-extortion strategy, has introduced a Linux version aimed at ESXi setups. The majority of attacks this year have focused on the United States. This ransomware checks for ESXi environments prior to launching, having eluded detection by security tools, per VirusTotal. Evidence suggests the Play ransomware group is utilizing resources linked to the Prolific Puma group.
Indicators of Compromise (IOC) List
URL/Domains | http://108.61.142.190/1.dll.sa http://108.61.142.190/64.zip http://108.61.142.190/winrar-x64-611.exe http://108.61.142.190/PsExec.exe http://108.61.142.190/host1.sa http://108.61.142.190/FX300.rar |
IP Address | 108.61.142.190 45.76.165.129 |
Hash |
2a5e003764180eb3531443946d2f3c80ffcb2c30 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Url/Domains | userdomainname IN (“http://108.61.142.190/1.dll.sa” , “http://108.61.142.190/64.zip” , “http://108.61.142.190/winrar-x64-611.exe” , “http://108.61.142.190/PsExec.exe” , “http://108.61.142.190/host1.sa” , “http://108.61.142.190/FX300.rar”) or url IN (“http://108.61.142.190/1.dll.sa” , “http://108.61.142.190/64.zip” , “http://108.61.142.190/winrar-x64-611.exe” , “http://108.61.142.190/PsExec.exe” , “http://108.61.142.190/host1.sa” , “http://108.61.142.190/FX300.rar”) |
IP Address | dstipaddress IN ("108.61.142.190") or ipaddress IN ("108.61.142.190") or publicipaddress IN ("108.61.142.190") or srcipaddress IN ("108.61.142.190") |
Hash |
sha1hash IN ("2a5e003764180eb3531443946d2f3c80ffcb2c30") |
Reference:
https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html