The Download
A new Linux-based variant of ransomware TargetCompany targets VMware ESXi with custom shell scripts to deliver its payload and execute. The ransomware variant also exfiltrates data before encrypting the VMware image. The ransomware checks for vmkernel in order to determine if the target is a VM image running on VMware ESXi. If so it toggles to "vmmode" and executes its scripts. Once the payload executes, data is exfiltrated to multiple servers, the files are encrypted and a ransom note is left "HOW TO RECOVER!!.txt".
What You Can Do
The attack is run against vulnerable SQL servers running on VMware ESXi. To defend against ransomware, you should follow the NIST CSF guidance on how to set up a robust cybersecurity program. The initial steps include identifying your attack surface and then protecting it. ThreatMate helps with both identification and protection of these critical assets.
To Learn More: