Researchers have discovered a new Linux variant of the TargetCompany ransomware, known for targeting VMware ESXi environments. This variant uses a custom shell script to deliver and execute payloads, ensuring it has administrative privileges before proceeding with its malicious activities. The TargetCompany ransomware, also referred to as Mallox, FARGO, and Tohnichi, has been active since June 2021, primarily attacking database systems in Taiwan, South Korea, Thailand, and India.
In February 2022, antivirus firm Avast released a free decryption tool for TargetCompany ransomware variants available up to that date. Despite this, by September, the ransomware gang resumed its attacks, focusing on vulnerable Microsoft SQL servers and threatening to leak stolen data via Telegram. Trend Micro’s recent report highlights the new Linux variant’s sophisticated methods, including exfiltrating data to two servers and verifying if it runs in a VMware ESXi environment.
Once the ransomware payload is deployed, it creates a “TargetInfo.txt” file containing critical victim information, which is sent to the command and control server. The ransomware then encrypts files with VM-related extensions, appending a “.locked” extension. Victims receive a ransom note named “HOW TO DECRYPT.txt” with instructions on paying the ransom to retrieve a decryption key. After these steps, the shell script deletes the payload to remove traces of the attack.
Trend Micro attributes these recent attacks to an affiliate named “vampire,” likely connected to a previous report by Sekoia. Although the IP addresses used for the attacks were traced to an ISP in China, this information alone is insufficient to determine the attacker’s origin accurately. The shift to targeting Linux systems and VMware ESXi machines demonstrates the ransomware operation’s evolution. Trend Micro advises implementing multifactor authentication, maintaining regular backups, and keeping systems updated to mitigate such threats.
