In June of this year, the SE#i Ransomware group, now rebranded as APT Inc, targeted VMware ESXi server environments, employing double extortion tactics to extort money from victims.
Following this trend, the Play Ransomware group has also adopted similar strategies, focusing primarily on companies operating within the United States.
According to cybersecurity firm Trend Micro, which disclosed these findings in a recent blog post, the Play Ransomware group has been adept at infiltrating ESXi environments while evading detection by security measures such as those provided by VirusTotal. This evasion is facilitated through collaboration with a threat actor known as Prolific Puma, which provides tools for automating domain registration and offers link shortening services to other malicious actors.
Originating in June 2022, the Play ransomware has since targeted over 300 organizations worldwide, including those in Australia, Canada, Germany, the UK, the Netherlands, and the United States. Their victims span across medical institutions, financial services such as banks, as well as the manufacturing and real estate sectors, in addition to healthcare providers. Currently, their focus has shifted towards infiltrating VMware environments to encrypt virtual machines and restrict access to critical applications.
Defending against such attacks is crucial for proactively safeguarding IT environments from malware infections. Effective measures include deploying threat monitoring solutions, implementing robust backup mechanisms that can automatically restore operations in the event of a malware incident, and refraining from paying ransoms, as this only serves to incentivize further criminal activity.