A new variant of the TargetCompany ransomware family has been discovered targeting VMware ESXi environments using a custom shell script for payload delivery and data exfiltration. This marks the first time such a technique has been observed in the wild. The Linux-based variant was specifically designed for the VMware ESXi environment.
Operating since June 2021, TargetCompany encrypts files with extensions like .mallox, .exploit, .architek or .brg, and deletes shadow copies while terminating processes that may keep important files open. In February 2022, Avast released a decryption tool for victims of this ransomware, allowing file recovery under certain conditions.
The ransomware actors behind TargetCompany are now focusing on virtualization environments like VMware ESXi to amplify their attacks and cause more disruption. By using the “uname” command to identify machines running VMware‘s ESXi hypervisor, the malware can encrypt specific file extensions. Once executed, the ransomware leaves behind a TargetInfo.txt file with victim information, sent to a C2 server.
The ransom note, “HOW TO RECOVER !!.TXT,” is dropped in encrypted folders with a .locked extension on files. Trend Micro’s research indicates that the payload delivery and exfiltration IP address used in this campaign has not been seen in previous TargetCompany operations, and is hosted by China Mobile Communications. The certificate for this IP address is recent and valid for only three months, implying short-term use.
Identified as “Vampire,” a partner associated with the data exchange on the C2 server is believed to be part of larger campaigns with significant ransom demands and broad IT system attacks, possibly mentioned in a report by Sekoia. This new Linux variant of TargetCompany indicates a continuous evolution in malicious tactics to reach a wider range of potential victims, particularly those using VMware ESXi.
Trend Micro has shared indicators of compromise for this threat, emphasizing the need for heightened awareness and security measures against such evolving ransomware tactics. For more updates, follow Pierluigi Paganini on Twitter, Facebook, and Mastodon for the latest in security news regarding hacking and ransomware issues.
Article Source
https://securityaffairs.com/164219/cyber-crime/linux-version-targetcompany-ransomware.html?amp
