A new Linux variant of the TargetCompany ransomware family has been identified by researchers, focusing on VMware ESXi environments and using a custom shell script to deliver payloads. The ransomware, previously known as Mallox, FARGO, and Tohnichi, emerged in June 2021 targeting database attacks primarily in Taiwan, South Korea, Thailand, and India.
Antivirus company Avast released a free decryption tool in February 2022 for variants up to that date. However, in September, the gang resumed attacking vulnerable Microsoft SQL servers, threatening to publish stolen data via Telegram.
The new Linux variant ensures administrator privileges before executing its routine, with the threat actor using a custom script to download and execute the ransomware payload while also exfiltrating data to two separate servers for redundancy.
The ransomware encrypts files with VM-related extensions and appends “.locked” to the resulting files, leaving a ransom note with payment instructions. The shell script then deletes the payload to eliminate traces for post-incident investigations.
Attributed to an affiliate named “Vampire,” the attacks using the Linux variant originate from IP addresses linked to an ISP provider in China. While the operation traditionally targeted Windows machines, the evolution to encrypting VMware ESXi machines indicates a shift in tactics.
Recommendations from Trend Micro include enabling MFA, creating backups, and updating systems to guard against such attacks. The report also includes indicators of compromise for the Linux ransomware version, the custom shell script, and examples related to the “Vampire” partner.
Article Source
https://www.bleepingcomputer.com/news/security/linux-version-of-targetcompany-ransomware-focuses-on-VMware-esxi/amp/