Is Your DLP Solution Truly Keeping Your Data Secure? Take Instant Assessment Now!

Check DLP Score
Search
Close this search box.
Get a Demo

Mallox Ransomware: Latest Developments and Defense Strategies

  • Sarika Sharma

Mallox ransomware is a severe threat infecting Microsoft Windows systems. This malware encrypts files and demands a ransom, disrupting operations. Learn about Mallox’s history, attack methods, encryption techniques, and how to defend against it in this comprehensive guide.

Mallox Ransomware Overview

Mallox ransomware, a notorious member of the malware families targeting Microsoft Windows systems, has been a significant concern since its emergence. With more than 700 distinct samples identified, Mallox has primarily targeted industries such as manufacturing, professional and legal services, and wholesale and retail. Known for its destructiveness, Mallox has made headlines for its capability to severely disrupt operations. The ransomware attack impacts not only the files but also the overall stability and functionality of the infected systems.

Organizations must understand Mallox ransomware’s characteristics and potential impacts. The ransomware payload is designed to inflict maximum damage, making it a formidable adversary in the realm of cybersecurity.

As we explore the history and evolution of Mallox, along with its ransomware as a service (RaaS) model, it becomes evident why this ransomware strain demands serious attention from cybersecurity professionals.

  • History and Evolution

    The journey of Mallox ransomware began in May 2021, with its first recorded activity surfacing in June of the same year. Initially, Mallox relied on direct attacks, but it soon evolved to incorporate phishing campaigns as a means of gaining initial access to victim networks. This shift in tactics marked a significant step in its evolution, making it more versatile and challenging to combat.
    In early 2023, an interview revealed that the threat actors behind Mallox had acquired its source code in 2022, leading to the introduction of new features and improvements. By 2024, Mallox had continued to target sectors such as manufacturing, professional services, and retail, demonstrating its persistent threat.
    The most recent version of Mallox, identified in March 2024, highlights its ongoing operational status and the continuous efforts of its developers to enhance its capabilities.

Ransomware’s Getting Smarter. Is Your Defense Ready?

Why guessing isn’t a strategy — Arm yourself with expert-backed guidance.

Download the Fidelis XDR Guide to Learn:

  • Real-Time Containment
  • Proactive Hunting
  • How to Avoid Blind Spots
Grab the Full Guide!

  • Ransomware as a Service (RaaS) Model

    Mallox operates under a Ransomware-as-a-Service (RaaS) model, a business strategy that allows affiliates to use its ransomware for their own attacks. This model democratizes ransomware attacks, enabling even less skilled cybercriminals to launch sophisticated attacks. By January 2023, Mallox’s RaaS program was actively promoting its services on dark web forums, seeking experienced affiliates for partnership.
    The growth of the Mallox RaaS program has been substantial, with 19 partners actively involved by early 2024. This network of affiliates has significantly increased the reach and impact of Mallox ransomware attacks, making it a pervasive threat.
    The RaaS model has bolstered Mallox’s ability to inflict widespread damage, distinguishing it from other ransomware groups and highlighting the need for robust defense strategies.

Initial Access Techniques

Mallox Ransomware Attack Sequence

Mallox ransomware uses multiple methods to achieve initial access to victim networks. These techniques are part of its overall approach to compromise targets. Understanding these techniques is crucial for implementing effective security measures. The primary methods include exploiting unsecured MS SQL servers and deploying phishing and social engineering tactics. By targeting these vulnerabilities, Mallox threat actors can infiltrate systems and initiate their malicious activities.

  • Exploiting Unsecured MS SQL Servers

    Mallox primarily gains initial access by exploiting unsecured MS SQL servers. The group specifically targets publicly exposed MS SQL and ODBC interfaces, leveraging these as primary attack vectors. This method of gaining initial access has proven effective, allowing Mallox to infiltrate systems and begin the payload deployment process, which includes various mallox attack attempts.
    Once access is gained, Mallox initiates its mallox ransomware payload deployment by downloading the ransomware via PowerShell from a remote server. This approach not only facilitates the spread of the ransomware but also ensures that the attackers can maintain control over the compromised systems. By focusing on weakly configured services, Mallox can efficiently execute its malicious objectives.

  • Phishing and Social Engineering

    Phishing and social engineering are also key tactics employed by Mallox ransomware attackers. Cybercriminals craft convincing emails that appear to come from trusted sources, tricking individuals into clicking on malicious links or downloading ransomware payloads. These phishing emails often contain malicious attachments or links that, once clicked, initiate the ransomware infection process.
    The deceptive nature of these tactics makes them particularly effective in gaining initial access to networks.

Execution and Payload Deployment

After gaining initial access, Mallox ransomware begins its execution process, employing various techniques to deploy its payload. The attackers utilize brute force tactics against weakly configured services to infiltrate networks, gaining control over compromised systems.

Once inside, the ransomware begins its malicious activities, preparing to encrypt files and disrupt operations.

  • PowerShell and Command Line Usage

    Mallox ransomware heavily relies on PowerShell for its deployment and operational strategies. The typical command lines employed include specific PowerShell scripts designed to download and execute the payload. These scripts often execute with the ExecutionPolicy flag set to bypass, allowing the ransomware to operate without interruption.
    Additionally, Mallox modifies system settings via command line, such as changing the computer’s power scheme to High Performance to expedite encryption. To ensure the encryption process is not disrupted, Mallox may terminate processes linked to databases, such as SQL Server or MySQL. Furthermore, Mallox employs Windows Management Instrumentation (WMI) to execute its binaries after initial deployment.

  • Remote Desktop Protocol (RDP) Exploitation

    Mallox uses Remote Desktop Protocol (RDP) to move laterally within a compromised network. By modifying registry keys such as fDenyTSConnections and LimitBlankPasswords, Mallox enables Remote Desktop connections. Additionally, the ransomware creates firewall rules to allow traffic on port 3389, facilitating remote access to compromised systems.
    This tactic not only aids in the spread of the ransomware but also allows the attackers to maintain control over the infected network.

Unmasking Ransomware: Proactive Strategies to Safeguard Your Organisation

In this webinar we will look into:

  • Assess your organization’s vulnerability
  • Experience our cybersecurity solutions
Watch On-Demand Webinar

Data Encryption Process

The core of Mallox ransomware’s threat lies in its data encryption process. By encrypting files directly in their original locations, Mallox ensures that victims are unable to access their critical data without paying the ransom. This encryption process is designed to lock files and demand ransom from victims, making it a primary method of extortion.

Mallox Ransomware Encryption Process

  • Encryption Algorithms

    Mallox employs a sophisticated encryption scheme that uses multiple algorithms to secure files. The ransomware utilizes ChaCha20 for file encryption, ensuring that data is locked with robust security measures. In its latest versions, Mallox uses AES-256 in GCM mode, providing an additional layer of encryption. File keys are generated using ISAAC PRNG, seeded by BCryptGenRandom and Mersenne Twister PRNG, ensuring the encryption process is both secure and efficient. The ransomware is capable of employing up to 64 threads for encryption, with the number of threads determined by the GetSystemInfo function.
    To enhance security further, Mallox uses the ECDH (Elliptic-curve Diffie–Hellman) protocol for key agreement. This complex encryption scheme makes it challenging for victims to decrypt files without the private key, which is only provided upon payment of the ransom.
    The technical buffer at the end of each encrypted file has been expanded in the latest version, adding to the complexity of the encryption process.

  • Impact on Files and Systems

    Before: Mallox ransomware affects a wide range of files by encrypting them, thereby disrupting access and functionality. The ransomware appends specific extensions, such as ‘.rmallox’, to encrypted files, making it evident which files have been compromised. By targeting critical files necessary for databases and backups, Mallox maximizes the impact on the victim’s operations. To further obstruct recovery efforts, Mallox employs commands to delete all volume shadow copies, ensuring that victims cannot easily restore their files.
    After: Mallox ransomware affects a wide range of files by encrypting them, thereby disrupting access and functionality. The ransomware:

    • Appends specific extensions, such as ‘.rmallox’, to encrypted files, making it evident which files have been compromised
    • Targets critical files necessary for databases and backups, maximizing the impact on the victim’s operations
    • Employs commands to delete all volume shadow copies, ensuring that victims cannot easily restore their files
    The encryption process is thorough and methodical, leaving victims with limited options for data recovery. The appended file extensions serve as a constant reminder of the ransomware’s presence, adding psychological pressure to the technical challenge of data recovery. This dual impact on files and systems underscores the importance of robust security measures to prevent ransomware infections.

Data Exfiltration and Double Extortion

Mallox ransomware employs a dual strategy of data exfiltration and double extortion. By capturing sensitive data before encrypting target files, Mallox enhances its leverage over victims. This tactic not only threatens the integrity of the victim’s data but also increases the pressure to pay the ransom.

  • Stealing Data Before Encryption

    During its reconnaissance phase, Mallox generates a text file containing sensitive data for exfiltration. This systematic approach to stealing data underscores the dual threat posed by Mallox ransomware. By exfiltrating critical data before encrypting files, Mallox maximizes its leverage in ransom negotiations, making it more likely that victims will pay to avoid the public exposure of their sensitive information. The successful exfiltration of data significantly enhances Mallox’s ability to pressure victims, contributing to the effectiveness of their ransomware attacks.
    The combination of data theft and file encryption creates a formidable challenge for victims. Not only do they face the loss of access to their files, but they also risk the public exposure of their stolen data. This dual threat amplifies the impact of a Mallox ransomware attack, making it a critical concern for cybersecurity professionals.

  • Data Leak Sites and Ransom Notes

    Data leak sites have become a crucial component of Mallox ransomware tactics. These sites showcase stolen information, providing insights into the size and type of data compromised. By publishing stolen data, Mallox increases the pressure on victims to pay the ransom, as the public exposure of sensitive information can have severe repercussions. The combined impact of data leaks and ransom notes creates a systemic threat that forces organizations to respond quickly to mitigate exposure and losses.
    Ransom notes play a significant role in the extortion process, detailing the demands and threats posed to victims if the ransom is not paid. These notes are typically left on the infected systems, providing instructions on how to pay the ransom and the consequences of non-compliance.
    The ransom notes, coupled with the threat of data leaks, create a powerful incentive for victims to comply with the attackers’ demands. This dual-extortion tactic is a hallmark of Mallox ransomware, highlighting the need for robust defensive measures to protect sensitive data.

Detection and Mitigation Strategies

Detection and mitigation strategies are critical in combating Mallox ransomware. Adopting a risk-based approach is essential for prioritizing detection techniques and implementing effective security measures. Recognizing the distinct patterns of compromise associated with Mallox ransomware can assist in early detection and timely response.

Focusing on unusual network traffic patterns, failed login attempts on MS SQL servers, and the presence of malicious executables can enhance an organization’s security posture and mitigate risks from evolving ransomware threats like Mallox.

  • Security Controls and Best Practices

    Defending against Mallox ransomware requires robust security controls and best practices. Organizations should employ multi-factor authentication to reduce unauthorized access risks and ensure regular updates and patches for software and applications. Mallox creates persistence by adding a new local account to both Administrators and Remote Desktop Users groups, underscoring the importance of monitoring and securing user accounts. Mallox also modifies registry keys to disable User Account Control (UAC) and facilitates lateral movement by adjusting firewall settings to allow traffic through port 3389.
    An incident response plan with communication protocols during a Mallox ransomware attack is essential. Post-incident analysis helps identify weaknesses exploited by Mallox ransomware and enhances future defenses. Regular threat assessments and maintaining vigilance can effectively mitigate threats posed by Mallox ransomware.

  • Incident Response and System Recovery

    Effective incident response and system recovery are crucial for mitigating the impacts of a Mallox ransomware infection. Restoring systems from clean backups ensures data integrity and business continuity, a key step in recovery. A well-coordinated incident response plan with timely detection, containment, eradication, and recovery measures minimizes disruption from ransomware attacks.
    Prioritizing vulnerability management and maintaining comprehensive backup strategies enhance an organization’s resilience against ransomware infections.

Observed Mallox Ransomware Activity

Mallox ransomware activity saw a notable rise, particularly in 2023. With over 700 discovered samples and significant activity reported in regions like Brazil, Vietnam, and China, Mallox ransomware affiliates have been targeting vulnerable companies with increased frequency.

This resurgence underscores the ongoing threat posed by Mallox and the need for continuous vigilance and robust security measures.

  • Recent Attack Attempts

    Mallox ransomware continues to be a persistent threat, with a 174% increase in activity compared to the previous year. Hundreds of victims have been claimed by the Mallox ransomware group, underscoring the widespread impact of their attacks. Shared incident response insights enabled one victim to recover six months after the initial Mallox report. These recent attack attempts highlight the importance of timely detection and robust incident response strategies to mitigate the effects of ransomware attacks.
    The Mallox ransomware group employs various tactics to infiltrate networks, including phishing emails and malicious attachments. Understanding these tactics and implementing effective security measures can better protect organizations from potential ransomware infections and minimize data breach risks.

  • Analysis of Victim Networks

    An analysis of victim networks reveals the extent of Mallox ransomware’s operations. Currently, there are 42 victims listed on the Mallox leak site, showcasing the breadth of their attacks. Members of the Mallox group include Russian hackers, highlighting the international nature of the threat actors involved.
    The targeted organizations represent various sectors, emphasizing the need for comprehensive cybersecurity measures across all industries to protect against ransomware attacks.

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs) are crucial for identifying and preventing Mallox ransomware attacks. By monitoring known MD5 hashes, registry keys, and command line patterns associated with Mallox, organizations can detect potential infections and respond effectively.

Utilizing these IoCs enhances detection and response to Mallox ransomware threats, providing a valuable tool in combating ransomware.

  • MD5 Hashes and URLs

    Known MD5 hashes associated with Mallox ransomware include various unique identifiers that help in recognizing malicious samples. URLs related to Mallox ransomware, such as ‘91.215.85.142/QWEwqdsvsf/ap.php’ and ‘whyers.io/QWEwqdsvsf/ap.php’, often lead to malicious download sites. Monitoring these MD5 hashes and associated URLs significantly aids in detecting and preventing Mallox ransomware attacks.
    Employing this information allows organizations to enhance their security measures and protect against potential ransomware infections.

  • Registry Keys and Command Lines

    Registry keys play a crucial role in identifying the presence of Mallox ransomware on infected systems. Specific keys such as ‘HKCU\Software\Mallox’ and ‘HKLM\Software\Mallox’ serve as indicators of compromise.
    Command line patterns indicative of Mallox infections often include the use of PowerShell or cmd.exe to execute the payload, employing unusual arguments resembling ‘encrypt’ or ‘decrypt’ operations. Recognizing these registry keys and command line patterns can significantly enhance detection efforts for Mallox ransomware and help in timely responses.

Summary

Mallox ransomware represents a significant threat in the cybersecurity landscape, employing sophisticated techniques for initial access, data encryption, and double extortion. By understanding its history, evolution, and operational tactics, organizations can better prepare to defend against potential attacks. Implementing robust security controls, staying vigilant, and maintaining comprehensive backup strategies are essential in mitigating the risks posed by Mallox ransomware. As cyber threats continue to evolve, staying informed and proactive is the key to safeguarding digital assets and ensuring business continuity.

Defend Your Data against Ransomware Attacks
  • Know What You’re Defending
  • Achieve a Proactive Cyber Defense
  • Stay Ahead of Known Vulnerabilities
Download Now

Frequently Ask Questions

What industries are most targeted by Mallox ransomware?

Mallox ransomware predominantly targets the manufacturing sector, professional and legal services, as well as wholesale and retail industries. This indicates a concerning trend where critical operational sectors are vulnerable to cyber threats.

How does Mallox ransomware execute its payload?

Mallox ransomware executes its payload through PowerShell scripts and command line techniques, frequently utilizing the ExecutionPolicy flag to bypass restrictions. This approach enables it to run malicious commands without raising immediate alerts.

What is the impact of Mallox ransomware on files and systems?

Mallox ransomware significantly impacts files and systems by encrypting them and appending specific extensions, while also deleting volume shadow copies to hinder recovery efforts. This makes it nearly impossible for victims to restore their data without paying the ransom.

How does Mallox use data leak sites in its extortion tactics?

Mallox employs data leak sites to disseminate stolen information, thereby intensifying pressure on victims to comply with ransom demands through the threat of public exposure of sensitive data.

What are some key indicators of compromise for Mallox ransomware?

Key indicators of compromise for Mallox ransomware include known MD5 hashes, specific registry keys, and unusual command line patterns. Monitoring these elements can help in early detection and response efforts.

About Author

Picture of Sarika Sharma
Sarika Sharma

Sarika, a cybersecurity enthusiast, contributes insightful articles to Fidelis Security, guiding readers through the complexities of digital security with clarity and passion. Beyond her writing, she actively engages in the cybersecurity community, staying informed about emerging trends and technologies to empower individuals and organizations in safeguarding their digital assets.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo