Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion tactics, which include encrypting victims’ data and threatening to publish it on public TOR-based websites.
In 2023, it demonstrated significant expansion with more than 700 distinct samples identified.
Mallox has been active since mid-2021, and the cybersecurity researchers at Kaspersky Lab recently discovered that it has evolved into a Ransomware-as-a-Service (RaaS) model by 2023.
The Mallox RaaS affiliate program is actively recruiting partners through dark web forums, expanding its global reach, and causing substantial damage to organizations worldwide.
This persistent threat leverages advanced encryption algorithms, employs evasion techniques to bypass security measures and uses a double extortion model, exfiltrating sensitive data before encryption to maximize ransom leverage.
Mallox employs sophisticated encryption methods, including:-
The malware targets companies globally, and for initial access often exploits vulnerabilities like CVE-2019-1068 and CVE-2020-0618 in MS SQL or PostgreSQL servers.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Mallox’s development across 12 identified versions includes enhanced cryptographic techniques to prevent decryption without the attacker’s private key, such as using CTR_DRBG for random number generation and ISAAC PRNG for file key generation.
Besides this, it has expanded its functionality like terminating database processes (SQL Server, Oracle, MySQL), disabling services via Service Control Manager, and modifying registry keys to disable UAC.
The ransomware included a “technical buffer” to encrypted files, marked by 0x02010201 and 0x04030403, containing decryption data.
It operates a Tor-based portal for communication and a data leak site (DLS) for extortion. Not only that, even for ransom payments, it also supports both Bitcoin and Tether TRC-20.
Kaspersky said that to threaten its victims and promote its affiliate program, Mallox remains active on social media platforms like X (aka Twitter).
The ongoing efforts to evade detection mechanisms, increase encryption efficiency, and adapt to the competitive threat landscape scenario show that the operators of Mallox constantly evolve it by implementing sophisticated features like multi-threaded encryption (up to 64 threads) and selective file encryption based on size thresholds.
Here below we have mentioned all the recommendations:-
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Grayscale Investments, a prominent crypto asset manager, has reportedly suffered a data breach affecting 693,635…
A database containing over 1,000 email accounts associated with the National Health Service (NHS) has…
Researchers from Avast have uncovered a vulnerability in the cryptographic schema of the Mallox ransomware,…
A recently discovered vulnerability in Red Hat's NetworkManager, CVE-2024-8260, has raised concerns in the cybersecurity…
Tor Browser 14.0 has been officially launched. It brings significant updates and new features to…
INE Security offers essential advice to protect digital assets and enhance security. As small businesses…