New TargetCompany Linux Ransomware Targets VMware ESXi 

Cybersecurity experts have recently uncovered a new Linux-based ransomware that specifically targets VMware ESXi servers. This variant, part of the TargetCompany ransomware family – also referred to as Mallox, FARGO, and Tohnichi – uses a unique shell script to infiltrate and compromise systems. 

Background on TargetCompany Ransomware

Since its emergence in June 2021, TargetCompany ransomware has primarily attacked database servers like MySQL, Oracle, and SQL Server, affecting numerous organizations across Taiwan, South Korea, Thailand, and India. 

Despite a setback in February 2022 when Avast released a decryption tool for earlier variants, the group regained momentum by September, focusing on vulnerable Microsoft SQL servers and even threatening to leak stolen data on Telegram.

The Evolution to Linux

Trend Micro reports that the latest Linux ransomware variant by TargetCompany ensures it has administrative access before executing its malicious tasks. It leverages a custom script not only to deploy the ransomware payload but also to siphon data to dual servers – presumably to safeguard against data loss in case of system compromise or technical failures.

TargetCompany Linux variant’s infection chain (Source: Trend Micro)

Upon deployment, the script verifies if the system is a VMware ESXi server by using the uname command to detect the ‘vmkernel’. A file named “TargetInfo.txt” is then generated and uploaded to a command and control (C2) server. This file includes critical details like hostname, IP address, operating system specifics, user privileges, and an inventory of encrypted files.

What Happens During an Attack?

Files associated with virtual machines such as .vmdk, .vmem, .vswp, .vmx, .vmsn, and .nvram are encrypted, with the extension “.locked” appended. 

Following the encryption process, a ransom note titled “HOW TO DECRYPT.txt” appears, guiding victims on how to pay the ransom and obtain the decryption key.

Ransom note dropped by TargetCompany Linux variant (Source: Trend Micro)

To eliminate any forensic trails, the ransomware script then deletes itself using the ‘rm -f x’ command, removing all traces that might be used in a subsequent investigation.

Response and Recommendations

The culprits, believed to be associated with a group known as “vampire” as per Trend Micro and other cybersecurity reports, have been using IP addresses linked to a Chinese ISP. However, pinpointing the exact origin of the attackers remains challenging. 

With the shift from Windows to Linux and the targeting of VMware ESXi platforms, the evolution of TargetCompany ransomware represents a significant pivot in the group’s strategy.

Trend Micro strongly advises adopting multi-factor authentication (MFA), conducting regular backups, and ensuring that systems are kept up-to-date to mitigate the risks posed by such ransomware. 

They also provide a detailed list of indicators of compromise, including hashes of the Linux ransomware variant and the scripts used by the “vampire” affiliate.