The TargetCompany ransomware group has recently expanded its arsenal by introducing a sophisticated Linux variant aimed at VMware ESXi environments. This shift signifies an alarming evolution in ransomware tactics, emphasizing the group’s relentless efforts to breach critical virtualized infrastructures. With organizations increasingly relying on virtualization technologies, the implications of these attacks are far-reaching and necessitate heightened cybersecurity measures.
VMware ESXi is a type-1 hypervisor that allows multiple virtual machines to share the same hardware resources without interfering with each other. Launched in October 2008, VMware ESXi was developed by VMware and is known for its efficiency and small footprint. It operates directly on server hardware, providing a robust platform for virtualization that is widely deployed in data centers around the world.
Reports from June 2021 revealed that TargetCompany ransomware, also known as “Water Gatpanapun” by Trend Micro and “Mallox” on its leak site, has been targeting firms in Taiwan, India, Thailand, and South Korea. This group has consistently updated its techniques to evade security measures, including employing PowerShell scripts to bypass the Antimalware Scan Interface (AMSI) and using fully undetectable (FUD) obfuscator packers. Combining these methods with their new focus on Linux environments marks a significant shift in their strategy.
Linux Variant: A New Threat
Trend Micro’s threat-hunting team recently discovered that TargetCompany has developed a new ransomware variant targeting Linux systems. This version uses a shell script for payload delivery and execution, diverging from previous methods. This adaptation reflects a broader trend where ransomware groups are increasingly targeting critical Linux environments, thereby expanding their range of potential victims.
The Linux variant ensures it has administrative rights before proceeding with its malicious operations. Upon execution, it creates a text file named TargetInfo.txt containing victim details, which it sends to a command-and-control (C&C) server. The attack method bears resemblance to the group’s Windows variant, highlighting a consistent strategy across different operating systems.
Infrastructure and Affiliate Activity
TargetCompany’s broadened focus on virtualization servers, particularly VMware ESXi environments, aims to cause significant disruption and increase the likelihood of ransom payments. The ransomware checks if the system is running a VMware ESXi environment by executing the “uname” command and looking for the “vmkernel” identifier. It then encrypts files, appending the “.locked” extension and leaving a ransom note named HOW TO DECRYPT.txt. The payload is delivered through a custom shell script that ensures the malware is executable and runs in the background, also providing redundancy for data exfiltration.
Key Takeaways
– The new Linux variant represents a critical escalation in ransomware capabilities targeting virtualized infrastructure.
– The ransomware group employs sophisticated techniques such as shell scripts for payload delivery and execution.
– Organizations must adopt robust cybersecurity measures, including multifactor authentication, regular patching, and the 3-2-1 backup rule.
The emergence of TargetCompany’s Linux variant underscores the evolving nature of ransomware threats. This group’s expanded focus on ESXi environments signifies an alarming trend that demands immediate and comprehensive cybersecurity responses. Organizations must stay vigilant, employing best practices and continuously updating their defenses to mitigate these threats. Understanding the tactics used by ransomware groups and implementing robust security measures can help organizations protect their critical infrastructure from such sophisticated attacks.
