Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments using a custom shell script to deliver and execute payloads.
Also known as Mallox, FARGO, and Tohnichi, the TargetCompany ransomware operation emerged in June 2021 and has been focusing on database attacks (MySQL, Oracle, SQL Server) against organizations mostly in Taiwan, South Korea, Thailand, and India.
In February 2022, antivirus firm Avast announced the availability of a free decryption tool that covered variants released up to that date. By September, though, the gang bounced back into regular activity targeting vulnerable Microsoft SQL servers and threatened victims with leaking stolen data over Telegram.
New Linux variant
In a report today, cybersecurity company Trend Micro says that the new Linux variant for TargetCompany ransomware makes sure that it has administrative privileges before continuing the malicious routine.
To download and execute the ransomware payload, the threat actor uses a custom script that can also exfiltrate data to two separate servers, likely for redundancy in case of technical issues with the machine or if it gets compromised.
Once on the target system, the payload checks if it runs in a VMware ESXi environment by executing the ‘uname’ command and looking for ‘vmkernel.’
Next, a “TargetInfo.txt” file is created and sent to the command and control (C2) server. It contains victim information such as hostname, IP address, OS details, logged-in users and privileges, unique identifiers, and details about the encrypted files and directories.
The ransomware will encrypt files that have VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram), appending the “.locked” extension to the resulting files.
Finally, a ransom note named “HOW TO DECRYPT.txt” is dropped, containing instructions for the victim on how to pay the ransom and retrieve a valid decryption key.
After all tasks have been completed, the shell script deletes the payload using the ‘rm -f x’ command so all traces that can be used in post-incident investigations are wiped from impacted machines.
Trend Micro analysts are attributing the attacks deploying the new Linux variant of TargetCompany ransomware to an affiliate named “vampire,” who is likely the same one in a Sekoia report last month.
The IP addresses used for delivering the payload and accepting the text file with the victim information were traced to an ISP provider in China. However, this is not enough for accurately determining the origin of the attacker.
Typically, TargetCompany ransomware focused on Windows machines but the release of the Linux variant and the shift to encrypting VMWare ESXi machines shows the evolution of the operation.
Trend Micro’s report includes a set of recommendations such as enabling multifactor authentication (MFA), creating backups, and keeping systems updated.
The researchers provide a list of indicators of compromise with hashes for the Linux ransomware version, the custom shell script, and samples related to the affiliate ‘vampire.’