Full Report
Researchers investigated a series of ransomware attacks targeting poorly managed MS-SQL servers by the TargetCompany ransomware group. This group primarily installs Mallox ransomware, with recent analysis linking these incidents to earlier attacks involving Tor2Mine CoinMiner ...
Analysis Summary
# Threat Actor: TargetCompany
## Attribution & Identity
**Actor Identification:** TargetCompany ransomware group.
**Known Aliases/Associations:** Linked to earlier activity involving Tor2Mine CoinMiner and BlueSky ransomware via shared C&C infrastructure and methodologies.
## Activity Summary
Researchers investigated a series of ransomware attacks specifically targeting poorly managed Microsoft SQL (MS-SQL) servers. The primary objective appears to be financial gain through ransomware deployment (Mallox). Recent analysis suggests this group is consistent with those involved in older campaigns using Tor2Mine CoinMiner and BlueSky.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of poorly managed MS-SQL servers via password attacks (bruteforcing/dictionary attacks) against the SA account.
- **Persistence/C2 Establishment:** Deployment of Remcos RAT for remote administration, keylogging, screen capture, and webcam control.
- **Lateral Movement/Control:** Installation of AnyDesk and unique remote screen control malware for deeper system control.
- **Impact/Execution:** Deployment of Mallox ransomware approximately 29 hours post-initial access.
- **Ransomware Functionality:** Deleting volume shadow copies, disabling Windows recovery features, terminating processes, and altering registry keys to impede system shutdown during encryption.
- **Data Exfiltration:** Collecting system information and sending it to the C&C server prior to encryption.
- Observed Techniques: Password bruteforcing, Vulnerability exploitation (implied via MS-SQL weakness).
- *MITRE ATT&CK IDs are not explicitly provided in the source text.*
## Targeting
- **Sectors:** Organizations utilizing MS-SQL servers (implied sector: general IT infrastructure, potentially finance/data-heavy sectors).
- **Geography:** Not specified in the article.
- **Victims:** Poorly managed MS-SQL servers.
## Tools & Infrastructure
- **Malware Families Used:**
- Mallox ransomware (primary payload)
- Remcos RAT
- Tor2Mine CoinMiner (historical association)
- BlueSky ransomware (historical association)
- AnyDesk
- Unique remote screen control malware (First seen December 2022)
- **Infrastructure (C2, domains, IPs):** C\&C server addresses are shared with Tor2Mine CoinMiner and BlueSky campaigns. (Specific addresses are not provided in the text, so none can be defanged).
## Implications
TargetCompany exhibits a pattern of leveraging easy entry points (misconfigured MSSQL servers) to rapidly deploy sophisticated malware chains culminating in costly ransomware infections. The linkage to coin-mining activity historically suggests a potential for varied monetization strategies leveraging compromised resources. The use of custom/unique remote control malware suggests a degree of technical proficiency.
## Mitigations
- Immediately patch and secure all MS-SQL servers.
- Implement strong, complex passwords and enforce multi-factor authentication (MFA) where possible, especially for administrative accounts (SA).
- Restrict internet accessibility to MS-SQL instances; utilize firewalls and network segmentation.
- Monitor for the deployment of legitimate remote access tools (RATs like Remcos) or administrative tools (AnyDesk) outside of established IT policies.
- Ensure Volume Shadow Copies and system recovery functionalities are actively monitored or protected against deletion.