Researchers discovered a new Linux variation of the TargetCompany ransomware family that targets VMware ESXi setups and uses a custom shell script to distribute and execute payloads.
The TargetCompany ransomware operation, also known as Mallox, FARGO, and Tohnichi, began in June 2021 and has since focused on database attacks (MySQL, Oracle, SQL Server) against organisations mostly in Taiwan, South Korea, Thailand, and India.
In February 2022, antivirus company Avast announced the release of a free decryption tool that covered all variations released up to that point. By September, however, the group had resumed regular activity, targeting vulnerable Microsoft SQL servers and threatening victims with disclosing stolen data via Telegram.
New Linux version
In a report published earlier this week by cybersecurity firm Trend Micro, the new Linux edition of TargetCompany ransomware scans for administrator access before launching the malicious process. The threat actor employs a custom script to download and execute the ransomware payload, as well as to exfiltrate data to two separate sites, most likely for redundancy in the case of a machine failure or compromise.
Once on the target system, the payload uses the 'uname' command to see if it runs in a VMware ESXi environment and looks for 'vmkernel.' Next, a "TargetInfo.txt" file is generated and delivered to the command and control (C2) server. It contains information about the victim, including hostname, IP address, operating system details, logged-in users and rights, unique identifiers, and information on encrypted files and directories.
The ransomware will encrypt files with VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram) and append the ".locked" extension to the generated files. Finally, a ransom note titled "HOW TO DECRYPT.txt" is dropped, which instructs the victim on how to pay the ransom and retrieve a legitimate decryption key.
After all operations are performed, the shell script deletes the payload using the 'rm -f x' command, erasing all traces that could be used in post-incident investigations from affected devices.
Trend Micro analysts attribute the attacks that deployed the new Linux strain of TargetCompany ransomware to an affiliate named "vampire," who is most likely the same one mentioned in a Sekoia report last month. The IP addresses used to deliver the payload and accept the text file with the victim's information were tracked back to a Chinese ISP.
However, this is insufficient to precisely determine the attacker's origin. Previously, TargetCompany ransomware focused on Windows devices, but the release of the Linux variant, as well as the transition to encrypting VMware ESXi machines, indicate the growth of the operation.
