Saturday, November 9, 2024
Homecyber securityNotorious Mallox Ransomware Evolved From Private Ransomware to RaaS

Notorious Mallox Ransomware Evolved From Private Ransomware to RaaS

Published on

Malware protection

Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion tactics, which include encrypting victims’ data and threatening to publish it on public TOR-based websites.

In 2023, it demonstrated significant expansion with more than 700 distinct samples identified.

Mallox has been active since mid-2021, and the cybersecurity researchers at Kaspersky Lab recently discovered that it has evolved into a Ransomware-as-a-Service (RaaS) model by 2023. 

- Advertisement - SIEM as a Service

Notorious Mallox Ransomware

The Mallox RaaS affiliate program is actively recruiting partners through dark web forums, expanding its global reach, and causing substantial damage to organizations worldwide. 

This persistent threat leverages advanced encryption algorithms, employs evasion techniques to bypass security measures and uses a double extortion model, exfiltrating sensitive data before encryption to maximize ransom leverage.

Typical Mallox attack pattern (Source - Securelist)
Typical Mallox attack pattern (Source – Securelist)

Mallox employs sophisticated encryption methods, including:-

  • Elliptic-curve cryptography (ECC) on Curve25519 for key generation
  • ECDH (Elliptic-curve Diffie–Hellman) key agreement protocol
  • ChaCha20 stream cipher for file encryption in early versions
  • AES-128/256 in CTR/GCM modes in later variants

The malware targets companies globally, and for initial access often exploits vulnerabilities like CVE-2019-1068 and CVE-2020-0618 in MS SQL or PostgreSQL servers. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Mallox’s development across 12 identified versions includes enhanced cryptographic techniques to prevent decryption without the attacker’s private key, such as using CTR_DRBG for random number generation and ISAAC PRNG for file key generation. 

Besides this, it has expanded its functionality like terminating database processes (SQL Server, Oracle, MySQL), disabling services via Service Control Manager, and modifying registry keys to disable UAC. 

The ransomware included a “technical buffer” to encrypted files, marked by 0x02010201 and 0x04030403, containing decryption data. 

Negotiation portal (Source - Securelist)
Negotiation portal (Source – Securelist)

It operates a Tor-based portal for communication and a data leak site (DLS) for extortion. Not only that, even for ransom payments, it also supports both Bitcoin and Tether TRC-20.

Mallox profile on X (Source - Securelist)
Mallox profile on X (Source – Securelist)

Kaspersky said that to threaten its victims and promote its affiliate program, Mallox remains active on social media platforms like X (aka Twitter).

The ongoing efforts to evade detection mechanisms, increase encryption efficiency, and adapt to the competitive threat landscape scenario show that the operators of Mallox constantly evolve it by implementing sophisticated features like multi-threaded encryption (up to 64 threads) and selective file encryption based on size thresholds.

Recommendations

Here below we have mentioned all the recommendations:-

  • Avoid exposing RDP to public networks.
  • Always use strong passwords.
  • Keep VPNs and software updated.
  • Detect lateral movements and data exfiltration.
  • Regularly back up data with quick access.
  • Stay updated on the latest threat tactics.
  • Use Managed Detection and Response (MDR) services.
  • Train employees in security awareness.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...