Ransomware/Malware Activity

New version of TargetCompany Ransomware Targets Linux OS in VMware ESXi Environments

Researchers at Trend Micro have observed a new Linux variant of TargetCompany ransomware built to infect VMware ESXi environments. TargetCompany is a ransomware operation that mostly targets organizations in Taiwan, South Korea, India, and Thailand. TargetCompany (aka Mallox) has been known for attacking databases (MySQL, Oracle, SQL Server) since June 2021. The new Linux variant of the ransomware performs a check to determine whether it is running in a VMWare ESXi environment as well as checking whether it is being run with administrator privileges. The ransomware uses a custom shell script for payload execution and delivery, which is coded to exfiltrate data to two different servers for redundancy. TargetCompany encrypts files that have extensions related to virtual machines and appends them with the extension ".locked". The ransom note is a text file named "HOW TO DECRYPT.txt" and instructs victims to access a dark web chatroom to receive payment details for the ransom. Once encryption is complete, it deletes itself using the command "fm -f x" to hinder post-exploitation analysis by incident responders. Trend Micro has provided the Indicators of Compromise (IoCs) associated with the ransomware in their blog post of their analysis. CTIX analysts will continue to report on new and emerging strains of malware and associated campaigns.

    Bleeping Computer: Linux Version of TargetCompany Ransomware
  • Trend Micro: TargetCompany's Linux Variant Targets ESXi

    • Threat Actor Activity

    Qilin Ransomware Gang Attack Causes Disruptions to London Hospitals

    Yet another attack has been observed in the larger trend of attacks against the healthcare industry. The Qilin ransomware gang is the apparent culprit behind a ransomware attack on Synnovis, a pathology services provider based in London, that occurred earlier this week on June 3, 2024. Qilin is a likely financially motivated Russian cybercriminal group that performs double-extortion attacks with encryptors specially designed to target VMware ESXi virtual machines. Their attack has resulted in Synnovis being locked out of its system as well as additional service disruptions. The ransomware attack had further consequences, also disrupting a handful of major NHS hospitals in London, causing a "critical incident" declaration as medical operations of some of London's largest hospitals had to be cancelled. Memos that were released by officials at the affected hospitals have stated that this is an ongoing critical incident and an NHS incident response team is actively investigating both the extent and impact of the attack. The Synnovis customer portal is currently inaccessible and has a warning reporting that all systems are down due to datacenter issues. Urgent and emergency services are still operational, such as urgent care centers and maternity departments, but non-emergency pathology appointments have either been postponed, canceled, or redirected to alternate service providers.

      Bleeping Computer: Qilin Article
    • The Record: Qilin Article

      • Vulnerabilities

      Researchers Discover Bypass Vulnerability in Popular Hotel Self-Check-In Kiosk Software

      A kiosk mode bypass vulnerability has been discovered in Ariane Systems' self-check-in systems which are installed in thousands of hotels globally and are at risk of exposing guests' personal information and room keys. Pentagrid security researcher Martin Schobert found that by entering a single quotation character on the reservation look-up screen, the terminal allows the user to close the check-in system, giving them access to the underlying Windows desktop containing customer details. Despite multiple attempts to alert Ariane Systems, Schobert received no substantial response regarding a firmware fix. The vulnerable terminals, used by 3,000 hotels across twenty-five (25) countries, could allow unauthorized access to personal information and the creation of room keys for other rooms. Hotel operators are advised to isolate these terminals from critical systems and contact the vendor to ensure they are using a secure version. CTIX analysts recommend using defense-in-depth when staying at hotels. Guests should not rely solely on their room key lock, implementing physical secondary locking mechanisms like door stops and wedges, and locking up valuables in secure storage when they leave their rooms.

        Bleeping Computer: Ariane Vulnerability Article
      • The Cyber Express: Ariane Vulnerability Article

        • The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Ankura Consulting Group LLC
Ankura Consulting Group LLC
2000 K Street NW
12th Floor
Washington
DC 20006
UNITED STATES
Tel: 202797 1111
E-mail: cody.prince@ankura.com
URL: ankura.com

© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing