Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
Trend AI threat hunters discovered the first Linux variant of Play ransomware specifically targeting ESXi environments. The analysis revealed infrastructure connections to Prolific Puma, a threat actor known for providing link-shortening services to cybercriminals. The ESXi variant shares code similarities with the Windows version but includes ESXi-specific routines for VM management and datastore encryption. This discovery demonstrates the continued trend of major ransomware groups developing dedicated Linux/ESXi payloads to maximize impact on enterprise virtualization infrastructure.
Related Research
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
Agenda Ransomware Exploits MeshAgent and WSL for Cross-Platform Attacks
Thread on Agenda ransomware exploiting MeshAgent and Windows Subsystem for Linux (WSL) to deploy Linux payloads on Windows systems, raising the bar for cross-platform sophistication.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.