Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks
Mallox ransomware activity in 2023 has seen a 174% increase when compared to the previous year, reveals new findings from Palo Alto Networks Unit 42.
“Mallox ransomware, like many other ransomware threat actors, follows the trend of double blackmail: stealing data before encrypting organizational files, and then threatening to publish the stolen data on leak sites as leverage to convince victims to pay ransom fees,” security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News.
Mallox is linked to a related threat actor other ransomware strains, such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first appeared in June 2021.
Some of the leading sectors targeted by Mallox are manufacturing, professional and legal services, as well as wholesale and retail.
An important aspect of this group is the pattern of exploiting insecure MS-SQL servers through dictionary attack as a penetration vector for compromising victim tissue. Xollam is a deviation from the norm as it has been observed using malicious OneNote file attachments for early access, such as detailed by Trend Micro last month.
After gaining a successful foothold on the infected host, a PowerShell command is executed to retrieve the ransomware payload from the remote server.
Binary, for its part, attempts to stop and remove SQL related services, delete volume shadow copies, delete system event logs, terminate security related processes, and bypass Racinean open source tool designed to fight ransomware attacks, before starting the encryption process, after which a ransom note is dropped on each directory.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
TargetCompany remains a small and closed group, but has also been observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercrime forum.
The development comes as ransomware continues to be a lucrative financial scheme, netting cybercriminals no less than $449.1 million in the first half of 2023 alone, per Chainalysis.
“The Mallox ransomware group has become more active in recent months, and their recent recruitment attempts may allow them to attack more organizations if the recruitment attempts are successful,” the researchers said.
