Notorious Mallox Ransomware Evolved From Private Ransomware to RaaS

Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion tactics, which include encrypting victims’ data and threatening to publish it on public TOR-based websites.

In 2023, it demonstrated significant expansion with more than 700 distinct samples identified.

Mallox has been active since mid-2021, and the cybersecurity researchers at Kaspersky Lab recently discovered that it has evolved into a Ransomware-as-a-Service (RaaS) model by 2023.

Notorious Mallox Ransomware

The Mallox RaaS affiliate program is actively recruiting partners through dark web forums, expanding its global reach, and causing substantial damage to organizations worldwide.

This persistent threat leverages advanced encryption algorithms, employs evasion techniques to bypass security measures and uses a double extortion model, exfiltrating sensitive data before encryption to maximize ransom leverage.

Typical Mallox attack pattern (Source – Securelist)

Mallox employs sophisticated encryption methods, including:-

Elliptic-curve cryptography (ECC) on Curve25519 for key generation
ECDH (Elliptic-curve Diffie–Hellman) key agreement protocol
ChaCha20 stream cipher for file encryption in early versions
AES-128/256 in CTR/GCM modes in later variants

The malware targets companies globally, and for initial access often exploits vulnerabilities like CVE-2019-1068 and CVE-2020-0618 in MS SQL or PostgreSQL servers.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Mallox’s development across 12 identified versions includes enhanced cryptographic techniques to prevent decryption without the attacker’s private key, such as using CTR_DRBG for random number generation and ISAAC PRNG for file key generation.

Besides this, it has expanded its functionality like terminating database processes (SQL Server, Oracle, MySQL), disabling services via Service Control Manager, and modifying registry keys to disable UAC.

The ransomware included a “technical buffer” to encrypted files, marked by 0x02010201 and 0x04030403, containing decryption data.

Negotiation portal (Source – Securelist)

It operates a Tor-based portal for communication and a data leak site (DLS) for extortion. Not only that, even for ransom payments, it also supports both Bitcoin and Tether TRC-20.

Mallox profile on X (Source – Securelist)

Kaspersky said that to threaten its victims and promote its affiliate program, Mallox remains active on social media platforms like X (aka Twitter).

The ongoing efforts to evade detection mechanisms, increase encryption efficiency, and adapt to the competitive threat landscape scenario show that the operators of Mallox constantly evolve it by implementing sophisticated features like multi-threaded encryption (up to 64 threads) and selective file encryption based on size thresholds.

Recommendations

Here below we have mentioned all the recommendations:-

Avoid exposing RDP to public networks.
Always use strong passwords.
Keep VPNs and software updated.
Detect lateral movements and data exfiltration.
Regularly back up data with quick access.
Stay updated on the latest threat tactics.
Use Managed Detection and Response (MDR) services.
Train employees in security awareness.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.