This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 3 minutes read

Ankura CTIX FLASH Update - June 7, 2024

Ransomware/Malware Activity


New version of TargetCompany Ransomware Targets Linux OS in VMware ESXi Environments

Researchers at Trend Micro have observed a new Linux variant of TargetCompany ransomware built to infect VMware ESXi environments. TargetCompany is a ransomware operation that mostly targets organizations in Taiwan, South Korea, India, and Thailand. TargetCompany (aka Mallox) has been known for attacking databases (MySQL, Oracle, SQL Server) since June 2021. The new Linux variant of the ransomware performs a check to determine whether it is running in a VMWare ESXi environment as well as checking whether it is being run with administrator privileges. The ransomware uses a custom shell script for payload execution and delivery, which is coded to exfiltrate data to two different servers for redundancy. TargetCompany encrypts files that have extensions related to virtual machines and appends them with the extension “.locked”. The ransom note is a text file named “HOW TO DECRYPT.txt” and instructs victims to access a dark web chatroom to receive payment details for the ransom. Once encryption is complete, it deletes itself using the command “fm -f x” to hinder post-exploitation analysis by incident responders. Trend Micro has provided the Indicators of Compromise (IoCs) associated with the ransomware in their blog post of their analysis. CTIX analysts will continue to report on new and emerging strains of malware and associated campaigns. 



Threat Actor Activity


Qilin Ransomware Gang Attack Causes Disruptions to London Hospitals

Yet another attack has been observed in the larger trend of attacks against the healthcare industry. The Qilin ransomware gang is the apparent culprit behind a ransomware attack on Synnovis, a pathology services provider based in London, that occurred earlier this week on June 3, 2024. Qilin is a likely financially motivated Russian cybercriminal group that performs double-extortion attacks with encryptors specially designed to target VMware ESXi virtual machines. Their attack has resulted in Synnovis being locked out of its system as well as additional service disruptions. The ransomware attack had further consequences, also disrupting a handful of major NHS hospitals in London, causing a "critical incident" declaration as medical operations of some of London's largest hospitals had to be cancelled. Memos that were released by officials at the affected hospitals have stated that this is an ongoing critical incident and an NHS incident response team is actively investigating both the extent and impact of the attack. The Synnovis customer portal is currently inaccessible and has a warning reporting that all systems are down due to datacenter issues. Urgent and emergency services are still operational, such as urgent care centers and maternity departments, but non-emergency pathology appointments have either been postponed, canceled, or redirected to alternate service providers.





Researchers Discover Bypass Vulnerability in Popular Hotel Self-Check-In Kiosk Software

A kiosk mode bypass vulnerability has been discovered in Ariane Systems' self-check-in systems which are installed in thousands of hotels globally and are at risk of exposing guests’ personal information and room keys. Pentagrid security researcher Martin Schobert found that by entering a single quotation character on the reservation look-up screen, the terminal allows the user to close the check-in system, giving them access to the underlying Windows desktop containing customer details. Despite multiple attempts to alert Ariane Systems, Schobert received no substantial response regarding a firmware fix. The vulnerable terminals, used by 3,000 hotels across twenty-five (25) countries, could allow unauthorized access to personal information and the creation of room keys for other rooms. Hotel operators are advised to isolate these terminals from critical systems and contact the vendor to ensure they are using a secure version. CTIX analysts recommend using defense-in-depth when staying at hotels. Guests should not rely solely on their room key lock, implementing physical secondary locking mechanisms like door stops and wedges, and locking up valuables in secure storage when they leave their rooms.


The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team ( if additional context is needed.

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice


report, data & technology, cybersecurity & data privacy, data privacy & cyber risk, cyber response

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with