June 5, 2024 at 07:19PM
A new Linux variant of TargetCompany ransomware targets VMware ESXi environments using a custom script to execute payloads, exfiltrate data, and drop a ransom note. Trend Micro reports the ransomware encrypts specific file extensions, attributes the attacks to an affiliate named “vampire,” and provides recommendations for defense. The operation’s shift to encrypting VMware ESXi machines indicates its evolution.
After reviewing the meeting notes, here are the key takeaways:
1. TargetCompany ransomware has evolved to target VMware ESXi environments using a custom shell script to deliver and execute payloads. The ransomware operation, also known as Mallox, FARGO, and Tohnichi, emerged in June 2021 and previously focused on database attacks against organizations in Taiwan, South Korea, Thailand, and India.
2. In February 2022, Avast released a free decryption tool to cover variants released up to that date, but the gang resumed regular activity in September, targeting vulnerable Microsoft SQL servers and threatening to leak stolen data over Telegram.
3. The new Linux variant ensures administrative privileges before continuing its malicious routine, using a custom script to download and execute the ransomware payload and exfiltrate data to separate servers.
4. The ransomware identifies if it is running in a VMware ESXi environment, creates a “TargetInfo.txt” file containing victim information, encrypts files with specific extensions, and drops a ransom note named “HOW TO DECRYPT.txt” with payment instructions.
5. Trend Micro attributes the attacks deploying the new Linux variant to an affiliate named “vampire,” potentially the same one mentioned in a previous report.
6. The IP addresses used for delivering the payload and accepting victim information were traced to an ISP provider in China, but this is not sufficient for accurately determining the origin of the attacker.
7. Trend Micro’s report includes recommendations such as enabling multifactor authentication, creating backups, and keeping systems updated.
8. The report provides indicators of compromise with hashes for the Linux ransomware version, the custom shell script, and samples related to the affiliate “vampire.”
This information provides a comprehensive overview of the evolving tactics of TargetCompany ransomware and the associated security recommendations.