{
	"id": "13e0e95f-e1cb-4807-90ad-b10e4749990b",
	"created_at": "2026-04-06T01:30:49.75957Z",
	"updated_at": "2026-04-10T13:13:10.758152Z",
	"deleted_at": null,
	"sha1_hash": "811f369d5edd41a52e4335d3baf72bd7b6916558",
	"title": "Decrypted: TargetCompany ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3063576,
	"plain_text": "Decrypted: TargetCompany ransomware\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-06 00:31:21 UTC\r\nOn January 25, 2022 , a victim of a ransomware attack reached out to us for help. The extension of the\r\nencrypted files and the ransom note indicated the TargetCompany ransomware (not related to Target the store),\r\nwhich can be decrypted under certain circumstances.\r\nModus Operandi of the TargetCompany Ransomware\r\nWhen executed, the ransomware does some actions to ease its own malicious work:\r\n1. Assigns the SeTakeOwnershipPrivilege and SeDebugPrivilege for its process\r\n2. Deletes special file execution options for tools like vssadmin.exe , wmic.exe , wbadmin.exe ,\r\nbcdedit.exe , powershell.exe , diskshadow.exe , net.exe and taskkil.exe\r\n3. Removes shadow copies on all drives using this command:\r\n%windir%\\sysnative\\vssadmin.exe delete shadows /all /quiet\r\n4. Reconfigures boot options:\r\nbcdedit /set {current} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {current} recoveryenabled no\r\n5. Kills some processes that may hold open valuable files, such as databases:\r\nAfter these preparations, the ransomware gets the mask of all logical drives in the system using the \r\nGetLogicalDrives() Win32 API. Each drive is checked for the drive type by GetDriveType() . If that drive is\r\nvalid (fixed, removable or network), the encryption of the drive proceeds. First, every drive is populated with the\r\nransom note file (named RECOVERY INFORMATION.txt ). When this task is complete, the actual encryption begins.\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 1 of 6\n\nExceptions\r\nTo keep the infected PC working, TargetCompany avoids encrypting certain folders and file types:\r\nThe ransomware generates an encryption key for each file (0x28 bytes). This key splits into Chacha20 encryption\r\nkey ( 0x20 bytes ) and n-once ( 0x08 ) bytes. After the file is encrypted, the key is protected by a combination of\r\nCurve25519 elliptic curve + AES-128 and appended to the end of the file. The scheme below illustrates the file\r\nencryption. Red-marked parts show the values that are saved into the file tail after the file data is encrypted:\r\nThe exact structure of the file tail, appended to the end of each encrypted file, is shown as a C-style structure:\r\nEvery folder with an encrypted file contains the ransom note file. A copy of the ransom note is also saved into\r\nc:\\HOW TO RECOVER !!.TXT\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 2 of 6\n\nThe personal ID, mentioned in the file, is the first six bytes of the personal_id, stored in each encrypted file.\r\nHow to use the Avast decryptor to recover files\r\nTo decrypt your files, please, follow these steps:\r\n1. Download the free Avast decryptor. Choose a build that corresponds with your Windows installation. The\r\n64-bit version is significantly faster and most of today’s Windows installations are 64-bit.\r\nIf you have 64-bit Windows, choose the 64-bit build.\r\nIf you have 32-bit Windows, choose the 32-bit build.\r\n2. Simply run the executable file. It starts in the form of a wizard, which leads you through the configuration\r\nof the decryption process.\r\n3. On the initial page, you can read the license information, if you want, but you really only need to click\r\n“Next”\r\n4. On the next page, select the list of locations which you want to be searched and decrypted. By default, it\r\ncontains a list of all local drives:\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 3 of 6\n\n5. On the third page, you need to enter the name of a file encrypted by the TargetCompany ransomware. In\r\ncase you have an encryption password created by a previous run of the decryptor, you can select the “I\r\nknow the password for decrypting files” option:\r\n6. The next page is where the password cracking process takes place. Click “Start” when you are ready to\r\nstart the process. During password cracking, all your available processor cores will spend most of their\r\ncomputing power to find the decryption password. The cracking process may take a large amount of time,\r\nup to tens of hours. The decryptor periodically saves the progress and if you interrupt it and restart the\r\ndecryptor later, it offers you an option to resume the previously started cracking process. Password\r\ncracking is only needed once per PC – no need to do it again for each file.\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 4 of 6\n\n7. When the password is found, you can proceed to the decryption of files on your PC by clicking “ Next ”.\r\n8. On the final wizard page, you can opt-in whether you want to backup encrypted files. These backups may\r\nhelp if anything goes wrong during the decryption process. This option is turned on by default, which we\r\nrecommend. After clicking “ Decrypt ”, the decryption process begins. Let the decryptor work and wait\r\nuntil it finishes.\r\nIOCs\r\nThreat Research Team\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 5 of 6\n\nThreat Research Team\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nhttps://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/"
	],
	"report_names": [
		"decrypted-targetcompany-ransomware"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439049,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/811f369d5edd41a52e4335d3baf72bd7b6916558.pdf",
		"text": "https://archive.orkl.eu/811f369d5edd41a52e4335d3baf72bd7b6916558.txt",
		"img": "https://archive.orkl.eu/811f369d5edd41a52e4335d3baf72bd7b6916558.jpg"
	}
}