In a series of alarming cyberattacks, the Play ransomware group has targeted VMware ESXi servers, utilizing double-extortion tactics to cripple U.S. enterprises. Trend Micro researchers revealed that the ransomware first checks if it’s in an ESXi environment before executing, successfully evading detection measures like Virus Total.
This marks the second significant ESXi security incident within weeks. Previously, the SEXi ransomware operation, under the APT INC banner, persistently targeted these servers for over a month. Notably, SEXi ransomware was implicated in the infamous MGM Resorts attack last fall.
Tom Siu, CISO at Inversion6, explained that the attackers often use stolen credentials or exploit remote vulnerabilities in VMware services. Jason Soroko of Sectigo highlighted that compromising an ESXi server can disrupt multiple virtual machines, affecting core operations.
Play’s strategy involves encrypting and exfiltrating data, pressuring victims to pay ransoms. Saumitra Das of Qualys noted that the rise of virtualized cloud environments and misconfigurations has coincided with an increase in Linux malware, often built using platform-independent frameworks like GoLang.
Patrick Tiquet from Keeper Security added that cloud computing’s growth has led to more virtual machine usage, consolidating multiple applications on single servers. This makes VMware instances appealing targets due to their critical role and widespread adoption. Effective protection involves rigorous network segmentation, strong access controls, regular vulnerability audits, and comprehensive backup strategies.
Organizations must ensure robust security measures, including secure vaults, secrets management, and timely patches, to safeguard against these sophisticated attacks.
