Mallox Ransomware

Mallox Ransomware, also known as TargetCompany, FARGO, and Tohnichi, is a ransomware strain targeting Microsoft Windows systems. Since its emergence in June 2021, Mallox has gained notoriety for exploiting unsecured MS-SQL servers to compromise networks. This article provides a comprehensive overview of Mallox's tactics, techniques, and procedures (TTPs), the observed increase in its activities, and recommended measures for mitigating its threat.

Surge in Mallox Activities

Information security researchers have reported a significant rise in Mallox ransomware activities, with a 180% increase compared to the previous year. The primary attack vector involves exploiting unsecured MS-SQL servers. Mallox operators utilize brute force attacks to gain access to these servers, subsequently deploying the ransomware through various tools, including network scanners.

Double Extortion Tactics

Following a trend seen in many modern ransomware campaigns, Mallox employs double extortion tactics. This involves stealing data before encrypting an organization’s files and then threatening the victims to publish the stolen data on a leak site. The goal is to coerce victims into paying the ransom. The stolen data is displayed on a Tor website titled 'Mallox Data Leaks,' where each victim is assigned a private key to negotiate terms and payment.

Targeted Industries and Global Reach

Mallox ransomware has claimed hundreds of victims globally across several industries, such as manufacturing, professional and legal services, and wholesale and retail. While the exact number of victims remains unknown, telemetry data indicates dozens of potential victims worldwide. The continuous uptick in Mallox activities since the beginning of 2023, with a 170% increase in attacks, highlights the growing threat posed by this ransomware group.

Initial Access and Infection Process

Since its inception, Mallox has consistently targeted unsecured MS-SQL servers to infiltrate networks. The attack begins with a dictionary brute force attack, attempting a list of known or commonly used passwords. Upon gaining access, attackers use command line and PowerShell scripts to download the Mallox ransomware payload from a remote server.

Command Line Execution

A typical command line used in a Mallox ransomware infection downloads the payload from hxxp://80.66.75.36/aRX.exe, saves it as tzt.exe, and runs a PowerShell script named updt.ps1. The script proceeds to:

• Download another file named system.bat, saving it as tzt.bat.
• Create a user named SystemHelp and enable Remote Desktop Protocol (RDP).
• Execute the ransomware payload tzt.exe using Windows Management Instrumentation (WMI).

Pre-Encryption Activities

Before encrypting files, the ransomware payload performs several actions to ensure successful execution, such as:

• Stopping and removing SQL-related services using sc.exe and net.exe.
• Deleting volume shadows to prevent file restoration.
• Clearing application, security, setup, and system event logs using Microsoft’s wevtutil command line utility.
• Modifying file permissions using the takeown.exe command to deny access to key system processes.
• Preventing system administrators from manually loading the System Image Recovery feature using bcdedit.exe.
• Terminating security-related processes and services using taskkill.exe.
• Bypassing specific anti-ransomware products by deleting their registry keys.

Encryption Process

Mallox Ransomware encrypts the targeted filetypes using the ChaCha20 encryption algorithm and appends various extensions, including .malox, .FARGO3, .exploit, .avast, .bitenc, .xollam, and sometimes the victim's name. A ransom note named 'RECOVERY INFORMATION.txt' is left in every directory, explaining the infection and providing contact information. Post-execution, the malware deletes itself to cover its tracks.

Expansion Efforts of the Mallox Cybercriminals

Mallox is a relatively small and closed group, but there are indications that it is working to expand its operations. In January 2023, a member of the group revealed plans to recruit affiliates through hacking forums. A user named Mallx posted an invitation for penetration testers to join the Mallox Ransomware-as-a-Service (RaaS) affiliate program. Similar recruitment efforts were observed in May 2022, indicating an ongoing attempt to grow their operational capacity.

Conclusion

The Mallox ransomware group remains an active and evolving threat. Their increasing activities and recruitment efforts suggest a potential rise in attacks. Organizations must implement robust security practices to defend against Mallox and similar ransomware threats.

Recommended Security Measures

• Ensure Proper Configuration and Patching: Keep all internet-facing applications and systems patched and up to date to reduce the attack surface.
• Deploy Endpoint Detection and Response (EDR) Solutions: Use EDR solutions for in-memory inspection and detecting process injection techniques.
• Perform Threat Hunting: Look for potential indicators of unusual behavior that could include security product evasion, service accounts exploited for lateral movement, and domain administrator-related user behavior.

By adopting these measures, organizations can strengthen their defenses against the ongoing threat of Mallox ransomware and other cybercriminal activities.

The text of the ransom notes observed to be left by Mallox Ransomware is:

Hello, your files are encrypted and cannot be used. To return your files in work condition you need decryption tool. Follow the instructions to decrypt all your data. Do not try to change or restore files yourself, this will break them. If you want, on our site, you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB. How to get decryption tool: 1. Download and install Tor browser by this link [Tor link]. 2: If Tor blocked in your country and you can't access to the link use any VPN software. 3. Run Tor browser and open the site. 4. Copy your private ID in the input field. Your private key - . 5. You will see payment information and we can make free test decryption here. Our blog of leaked companies - . If you are unable to contact us through the site, then you can email us: - If you are unable to contact us through the site, waiting for a response via email can be several days. Do not use it if you have not tried contacting through the site.

Another ransom note variant is:

YOUR FILES ARE ENCRYPTED !!!

TO DECRYPT, FOLLOW THE INSTRUCTIONS:

To recover data you need decrypt tool.

To get the decrypt tool you should:

1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!
4.We can decrypt few files in quality the evidence that we have the decoder.

CONTACT US:
mallox.israel@mailfence.com
mallox@tutanota.com

YOUR PERSONAL ID: