June 30, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Apache Products Vulnerabilities
June 7, 2024Personal Information of Over 450,000 JPMorgan Chase Customers Leaked in Data Breach
June 7, 2024Multiple Apache Products Vulnerabilities
June 7, 2024Personal Information of Over 450,000 JPMorgan Chase Customers Leaked in Data Breach
June 7, 2024
Severity
High
Analysis Summary
A new Linux variant of the TargetCompany ransomware, also known as Mallox, FARGO, and Tohnichi has been observed targeting VMware ESXi environments. This variant employs a custom shell script to deliver and execute its payloads ensuring administrative privileges before proceeding with malicious activities.
This development marks a significant evolution in the ransomware operation, which originally emerged in June 2021 and primarily targeted database systems such as MySQL, Oracle, and SQL Server in regions including Taiwan, South Korea, Thailand, and India. Despite the release of a free decryption tool by antivirus firm Avast in February 2022, the group has continued its attacks, focusing on vulnerable Microsoft SQL servers and leveraging Telegram for data leakage threats.
The custom shell script used by the ransomware facilitates the download and execution of the payload while also exfiltrating data to two separate servers for redundancy. Once on the target system, the ransomware checks for a VMware ESXi environment by using the 'uname' command and searching for 'vmkernel'. It then creates a "TargetInfo.txt" file containing critical victim information such as hostname, IP address, OS details, and encrypted file data sent to the command and control server. The ransomware encrypts files with VM-related extensions appending the ".locked" extension and drops a ransom note named "HOW TO DECRYPT.txt" with payment instructions for decryption.
The report highlights the sophisticated attack chain of this new Linux variant noting that after executing its tasks the shell script deletes the payload to erase traces from the system. The report attributes these attacks to an affiliate named “vampire,” with IP addresses linked to a Chinese ISP provider, though this does not definitively determine the attacker's origin. This shift to targeting VMware ESXi machines indicates the ransomware operation's adaptability and increasing threat level moving beyond its initial focus on Windows machines.
To mitigate such threats, researchers recommend enabling multifactor authentication (MFA), creating regular backups, and keeping systems updated. The report also provides a list of indicators of compromise, including hashes for the Linux ransomware variant, the custom shell script, and related samples associated with the affiliate 'vampire'. These steps are crucial for organizations to protect against evolving ransomware tactics and secure their environments against potential breaches.
Impact
- Sensitive Data Theft
- File Encryption
- Financial Loss
Indicators of Compromise
IP
- 111.10.231.151
MD5
- 121f43dfb68b710165ec47b2e102b50c
- 196c404315d97f768c9ee65f580f630d
- 09b17832fc76dcc50a4bf20bd1343bb8
- 66946f4914dff619a1c4bae465d35fa0
- ab15275c4829c1e0377a79a47d289a0a
- a57ea2a7451b3a071617031c19bebcf5
SHA-256
- 8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
- 849bfd76b764bb7bbed139889daed88260652f654c5db9f1b1e5ac5f84cf5274
- 7c10256d9358d4cadb96b8160651172b6ac9a4bf898868823f7c76bf33cb823e
- 7f23383db868ce94c91cc1b6041f6b997fb604d77b2959bb4945632eaf4ee05a
- d736a71e6070e6f25ffe9507794544d841facc2e8a87f38a8280785332990553
- 1c8b6d5b79d7d909b7ee22cccf8f71c1bd8182eedfb9960c94776620e4543d13
SHA-1
- dffa99b9fe6e7d3e19afba38c9f7ec739581f656
- 2b82b463dab61cd3d7765492d7b4a529b4618e57
- 9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1
- 3642996044cd85381b19f28a9ab6763e2bab653c
- 4cdee339e038f5fc32dde8432dc3630afd4df8a2
- 0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098
URL
- http://111.10.231.151:8168/general/vmeet/upload/temp/x.sh
- http://111.10.231.151:8168/general/vmeet/upload/temp/x
- http://111.10.231.151:8168/general/vmeet/upload/temp/post.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement multifactor authentication (MFA) to enhance security for remote access and critical systems.
- Regularly update and patch all systems including Linux servers and VMware ESXi environments to close vulnerabilities.
- Conduct frequent data backups and ensure that backups are stored offline or in a secure, separate network to prevent ransomware encryption.
- Monitor and restrict the use of administrative privileges, ensuring only necessary personnel have access.
- Deploy endpoint protection and intrusion detection/prevention systems (IDS/IPS) to identify and block malicious activities.
- Use network segmentation to limit the spread of ransomware within the organization.
- Educate employees about phishing attacks and safe email practices to reduce the risk of credential theft.
- Regularly review and update incident response plans to ensure quick and effective action during a ransomware attack.
- Implement logging and monitoring to detect unusual activities and potential breaches early.
- Utilize threat intelligence services to stay informed about emerging threats and tactics used by ransomware groups.
- Apply security best practices for VMware ESXi, such as disabling unnecessary services and configuring strong authentication methods.
- Collaborate with cybersecurity experts to conduct regular security assessments and penetration testing of the IT infrastructure.