The New Linux Variant of TargetCompany Ransomware: focuses on VMware ESXi

In a significant development in the cybersecurity landscape, researchers have identified a new Linux variant of the notorious TargetCompany ransomware family. This variant specifically targets VMware ESXi environments using a sophisticated custom shell script to deliver and execute malicious payloads. Known by several aliases, including Mallox, FARGO, and Tohnichi, the TargetCompany ransomware operation has been a persistent threat since its emergence in June 2021, primarily focusing on database attacks in Taiwan, South Korea, Thailand, and India.

Evolution of TargetCompany Ransomware

TargetCompany ransomware initially made headlines with its aggressive attacks on various database systems such as MySQL, Oracle, and SQL Server. In February 2022, antivirus firm Avast made a significant breakthrough by releasing a free decryption tool that could counteract the ransomware variants known up to that point. However, by September 2022, the ransomware gang had regained momentum, shifting their focus to vulnerable Microsoft SQL servers and using Telegram as a platform to threaten victims with data leaks.

The New Linux Variant: A Closer Look

Today, cybersecurity company Trend Micro reported a new Linux variant of TargetCompany ransomware, marking a notable shift in the ransomware’s targeting strategy. This new variant ensures it has administrative privileges before commencing its malicious activities. A custom script is employed to download and execute the ransomware payload, which also has the capability to exfiltrate data to two separate servers. This redundancy ensures the data is still accessible even if one server encounters technical issues or gets compromised.

The custom shell script used in the latest attacks
Source: Trend Micro

Upon infiltrating the target system, the ransomware checks for a VMware ESXi environment by executing the ‘uname’ command and searching for ‘vmkernel’. Following this, a “TargetInfo.txt” file is generated and sent to a command and control (C2) server. This file includes crucial victim information such as hostname, IP address, OS details, logged-in users and privileges, unique identifiers, and specifics about the encrypted files and directories.

Ransom note dropped by the Linux variant
Source: Trend Micro

Stealthy Operations and Attribution

The ransomware’s operations are designed to leave minimal traces. After completing its tasks, the shell script deletes the payload using the ‘rm -f x’ command, effectively wiping any evidence that could aid post-incident investigations. Trend Micro analysts have attributed these attacks to an affiliate named “vampire,” who was also mentioned in a Sekoia report last month. The IP addresses linked to the delivery of the payload and the reception of victim information were traced back to an ISP provider in China, though this alone is insufficient to accurately determine the attacker’s origin.

Support me by buying this e-book

Implications and Recommendations

Historically, TargetCompany ransomware primarily targeted Windows machines. The introduction of the Linux variant and the focus on VMware ESXi environments underscore the operation’s evolving tactics and expanding threat vector.

Trend Micro’s report emphasizes the importance of robust cybersecurity measures to counter this growing threat. Key recommendations include enabling multifactor authentication (MFA), maintaining regular backups, and ensuring all systems are kept up to date. Additionally, the researchers provided a list of indicators of compromise, including hashes for the Linux ransomware version, the custom shell script, and samples related to the affiliate ‘vampire.’


The emergence of the new Linux variant of TargetCompany ransomware highlights the relentless evolution of cyber threats and the necessity for vigilant and proactive cybersecurity practices. Organizations must remain informed and prepared to defend against these sophisticated attacks, ensuring they implement comprehensive security measures to safeguard their systems and data.

s ransomware threats like TargetCompany continue to evolve, it’s crucial for organizations and individuals to take proactive measures to protect their systems and data. Here are some essential tips and tricks to help prevent ransomware attacks:

1. Enable Multifactor Authentication (MFA)

  • Implement MFA across all accounts and systems. This adds an extra layer of security, making it harder for attackers to gain unauthorized access even if they have compromised passwords.

2. Turn Off SSH Access

  • Disable SSH access on systems where it is not necessary. This reduces the attack surface by preventing unauthorized remote access.

3. Use Lockdown Mode

  • Enable lockdown mode on critical systems, such as VMware ESXi, to restrict administrative operations and further secure the environment against potential threats.

4. Regular Backups

  • Regularly back up all critical data and store backups offline or in a secure cloud environment. This ensures that data can be restored in the event of a ransomware attack without paying the ransom.

5. Keep Systems Updated

  • Ensure all software, including operating systems, applications, and antivirus programs, are regularly updated to protect against known vulnerabilities and exploits.

6. Network Segmentation

  • Segment networks to limit the spread of ransomware. By isolating critical systems and data, you can contain an infection and prevent it from affecting the entire network.

7. Employee Training

  • Conduct regular cybersecurity training sessions for employees to educate them about the dangers of ransomware, phishing attacks, and safe online practices.

8. Implement Strong Security Policies

  • Develop and enforce robust security policies, including the use of strong, unique passwords, restricted access controls, and regular audits to ensure compliance.

9. Deploy Advanced Security Solutions

  • Utilize advanced security solutions such as endpoint detection and response (EDR), intrusion detection systems (IDS), and intrusion prevention systems (IPS) to detect and mitigate threats in real-time.

10. Monitor Network Traffic

  • Continuously monitor network traffic for unusual activities that could indicate a ransomware attack. Early detection can help mitigate the impact of an attack.

11. Incident Response Plan

  • Develop and regularly update an incident response plan. Ensure that all team members know their roles and responsibilities in the event of a ransomware attack.

12. Limit User Privileges

  • Restrict user privileges to only what is necessary for their roles. Limiting administrative privileges can prevent the spread of ransomware through the network.

By following these tips and staying vigilant, organizations can significantly reduce the risk of falling victim to ransomware attacks and safeguard their critical systems and data.

Support me by buying this e-book

🔥Subscribe to the channel:🔥

🚨Read my blog:

👊My Podcast:

Please leave the comment