Scroll Top

Mallox Ransomware surges with 174% increase in 2023, targeting weak MS-SQL servers

MSSQL

InternetIntelligence.eu, a prominent platform specializing in Open Source Intelligence (OSINT), cyber analysis, and threat research, highlights the latest findings from Palo Alto Networks Unit 42, revealing a concerning surge in Mallox ransomware activities in 2023. The report indicates a staggering 174% increase compared to the previous year, signifying the growing threat posed by this ransomware strain.

Mallox ransomware operates in line with the double extortion trend, adopting a dual strategy of stealing sensitive data before encrypting an organization’s files. Security researchers Lior Rochberger and Shimi Cohen from Palo Alto Networks Unit 42 emphasized that the threat actors behind Mallox leverage the stolen data as leverage, threatening to publish it on leak sites to coerce victims into paying the demanded ransom fee.

Notably, Mallox is linked to a threat actor responsible for other ransomware strains, including TargetCompany, Tohnichi, Fargo, and most recently, Xollam. Its initial appearance on the cyber landscape dates back to June 2021, and it has since honed its tactics to target specific sectors effectively.

Mallox predominantly targets sectors like manufacturing, professional and legal services, and wholesale and retail, aiming to maximize its impact on critical industries.

One key aspect of Mallox’s modus operandi lies in its exploitation of poorly secured MS-SQL servers through dictionary attacks. This serves as the primary penetration vector to breach victims’ networks. However, researchers have observed a deviation in Xollam’s tactics, where malicious OneNote file attachments are utilized for initial access, as previously reported by Trend Micro. Once successfully infiltrated, the ransomware deploys a PowerShell command to retrieve the ransomware payload from a remote server.

To ensure unhindered encryption, Mallox’s binary attempts to halt and remove SQL-related services, delete volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine, an open-source tool designed to counter ransomware attacks. Subsequently, a ransom note is placed in every directory, demanding payment from the affected organizations.

Despite being a relatively small, closed group, TargetCompany has been observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) program on the RAMP cybercrime forum, potentially enabling them to widen their attack scope.

The resurgence of Mallox ransomware and the growing ransomware trend, which has generated a staggering $449.1 million for cybercriminals in the first half of 2023 alone, according to Chainalysis, highlights the urgency for robust cybersecurity measures and heightened vigilance across all industries.

InternetIntelligence.eu urges organizations to remain proactive in implementing strong security protocols, conducting regular assessments, and educating employees about the evolving threats to safeguard against ransomware attacks effectively.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.