The TargetCompany ransomware group has added a new Linux variant to its arsenal specifically targeting VMWare ESXi environments.
The custom shell script not only deploys the ransomware payload but also exfiltrates the victim's information to two separate servers, ensuring the attackers have a backup of the stolen data, according to a recent reportfrom trend Micro.
By focusing on ESXi servers, which are commonly used to host crucial virtualized infrastructure, the TargetCompany ransomware group aims to maximize operational disruption and pressure victims into paying ransoms.
Discovered in June 2021, the TargetCompany ransomware, tracked by Trend Micro as “Water Gatpanapun” and known on leak sites as “Mallox,” has predominantly targeted regions like Taiwan, India, Thailand, and South Korea. The group's tactics have continuously evolved, including the use of PowerShell scripts to bypass security measures such as the Antimalware Scan Interface (AMSI) and leveraging fully undetectable (FUD) obfuscator packers.
The new ransomware variant is designed to detect whether it is running in an ESXi environment. The shell script used for this variant initiates the payload download from a specific URL using tools like "wget" or "curl." It checks for administrative rights and aborts if not running with sufficient privileges. Once executed, the ransomware encrypts files, appending the ".locked" extension and dropping a ransom note named "HOW TO DECRYPT.txt."
Interestingly, the new variant's shell script was designed to send exfiltrated data to two different servers. The IP address associated with these operations is hosted by China Mobile Communications, suggesting that TargetCompany's threat actors may have rented infrastructure to facilitate their campaign.
Additionally, Trend Micro researchers said they discovered a new Linux variant of the Play ransomware, which specifically targets ESXi environments. Once running within an ESXi environment, the Play ransomware proceeds to shut down any virtual machine and encrypts VM files. The encrypted files are tagged with ".PLAY". A ransom note is left in the root directory while a modified message will appear in the ESXi login portal.