Dark Web Profile: Mallox Ransomware

Mallox, a strain of ransomware and a group with the same name, encrypts its victims’ data and subsequently demands a ransom, typically in cryptocurrency, in return for providing the decryption key, just as a usual ransomware operator. However, this ransomware exhibited more destructiveness than many other ransomware variants in some cases. The Mallox ransomware strain and the group behind it, has been operational since around mid-2021 and is still active as of 2024.

Who is Mallox Ransomware?

Mallox is also called “TargetCompany,” “Tohnichi,” or “Fargo” ransomware and has been active since 2021. The group behind Mallox specializes in multi-extortion tactics, encrypting victim data and issuing threats to publish it on their public TOR-based websites.

According to SuspectFile’s interview blog with this ransomware group, Mallox stands out as one of the longest-running ransomware groups that remain active today (The interview was in the first month of 2023 and they are still active). The first encounter with its file samples dates back to June 2021, during which industry analysts initially labeled it as “TargetCompany ransomware.”

A year later, around mid to late 2022, the group gained the name Fargo due to an extension added to encrypted files. Presently, it is identified as Mallox ransomware. During 2022, researchers recorded a surge in Mallox samples.

While the successful operations of law enforcement agencies and counter ransomware initiatives continued to crack down on ransomware groups, many groups focused only on data leak and extortion. Mallox named their website as Mallox Data Leak on its home page. One question that comes to mind is, do they only do extortion anymore?

However, Mallox strains continue to appear around, and some companies have already been attacked with Mallox strains in 2024. Therefore for Mallox its not possible to say that they are now just an extortion group.

Modus Operandi of Mallox Ransomware

Initial Access Strategies:

Mallox Ransomware employs various techniques to gain initial access to target systems. This includes:

• Exploiting vulnerabilities in publicly exposed services such as MS-SQL and ODBC interfaces. Mallox specifically targets unpatched instances of old Remote Code Execution (RCE) vulnerabilities like CVE-2019-1068 in Microsoft SQL Server and CVE-2020-0618 in Microsoft SQL Server Reporting Services.
• Conducting brute-force attacks against weakly configured services and applications accessible over the internet.
• Utilizing phishing emails with malicious attachments or links to deliver attack frameworks like Cobalt Strike and Sliver helps establish initial access.

Persistence Mechanisms:

Once initial access is gained, Mallox ensures persistence on the compromised systems through various methods:

• Installing legitimate remote desktop software like AnyDesk to maintain access without relying solely on malware, ensuring continued control over the system.
• Creating backdoor accounts and scripts for persistent access allows the threat actors to re-enter the system even if discovered and removed initially.

Privilege Escalation Techniques:

Mallox employs privilege escalation tactics to elevate its access privileges within the compromised network:

• Using tools like Mimikatz to dump credentials and extract plaintext passwords from memory, enabling them to escalate privileges and gain access as domain administrators or other high-privileged accounts.
• Exploiting misconfigurations or vulnerabilities in the target system to escalate privileges and gain deeper access into critical areas of the network.

Network Enumeration and Reconnaissance:

Before moving laterally within the network, Mallox conducts thorough network enumeration and reconnaissance:

• Utilizing legitimate network scanning tools like netscan.exe to map out the network topology, identify active hosts, and gather information about network services and configurations.
• Enumerating user accounts, group memberships, and access permissions to identify high-value targets and potential avenues for lateral movement.

Lateral Movement Strategies:

Once familiar with the network, Mallox initiates lateral movement to expand its reach and compromise additional systems:

• Creating and using custom scripts or tools to move laterally across the network, exploiting vulnerabilities or weak security controls in interconnected systems.
• Leveraging compromised credentials or stolen tokens to move laterally between systems and escalate privileges further within the network hierarchy.

Data Exfiltration Techniques:

Mallox Ransomware often includes data exfiltration as part of its operation to maximize the impact of the attack:

• Using command-line utilities like Robocopy or PowerShell scripts to copy sensitive data from compromised systems to external servers controlled by the threat actors.
• Employing file compression tools or encryption algorithms to compress and encrypt exfiltrated data makes it harder for defenders to detect or recover.

Preparation for Encryption:

Before initiating the encryption process, Mallox takes specific preparatory steps to ensure a successful and widespread impact:

• Disabling or bypassing security controls such as firewalls, antivirus software, and endpoint detection systems to prevent early detection of ransomware activity.
• Suspending or terminating processes that may interfere with the encryption process, such as backup services or file synchronization utilities, to maximize the number of encrypted files.

File Encryption Procedures:

Mallox Ransomware employs advanced encryption techniques to render files inaccessible and demand ransom for decryption:

• Strong encryption algorithms like AES-256 or RSA-2048 can be used to encrypt files and append them with a unique file extension, making it clear which files have been encrypted.
• Encrypting files across a wide range of formats, including documents, spreadsheets, images, videos, databases, and archives, to maximize the impact on the victim’s operations.

Ransom Note Delivery:

After encrypting files, Mallox delivers ransom notes to inform victims of the encryption and provide instructions for ransom payment:

• Ransom notes are typically placed in each encrypted folder or on the desktop, typically in the form of text files or pop-up messages containing details about the ransom amount, payment deadlines, and contact information.
• Threatening victims with permanent data loss or exposure of sensitive information if the ransom is not paid within the specified timeframe creates a sense of urgency and pressure.

Ransom Payment Infrastructure:

Mallox establishes a ransom payment infrastructure to facilitate communication and payment processing with victims:

• Providing victims with unique Bitcoin wallet addresses or cryptocurrency payment portals to send ransom payments securely and anonymously.
• Setting up TOR-based communication channels or encrypted email addresses for direct communication with victims, ensuring anonymity and confidentiality during negotiations.

These steps illustrate the systematic and sophisticated approach employed by Mallox Ransomware throughout its attack lifecycle, from initial access to ransom payment facilitation.

Victimology

There are only 42 victims on the currently live leak site of Mallox, which has victims from almost all over the world over the years. These countries in the graph below are portrayed in parallel with their targeting intensity but only according to Mallox’s latest leak site’s index.

Mallox, whose hundreds of attacks have been reported over the years, continues to be a detected strain, although it is not as active as before. However, it seems to be one of the candidate groups to fill the gap in the ransomware landscape, especially after the operations carried out against large ransomware operators.

Even though it is certain that there are Russian hackers among the members of the group, we are not sure about calling the group completely Russia-based. Although former USSR countries are not targeted, unlike typical Russian-based ransomware, there is an attack targeting China.

Iran is not among the targets, although the group has intensive operations in the Middle East. Therefore, we can say that they are probably a Russia-based ransomware, but there are minor doubts.

There is no definitive target for Mallox ransomware, which has victims in almost every sector, but Professional, Scientific and Technical Services, Information, and Retail Trade appear to be the main targeted sectors.

When you enter an indexed victim’s page on their data leak site, a text introducing the company, revenue, and the size of the leak is written. They upload data leaks to file sharing sites accessible on the clear web. In this example, pixeldrain[.]com is used and the password to access the file is given.

The uploaded file was viewed only 29 times and downloaded 6 times. While this number rises to thousands even in ransomware groups whose impact is thought to be much smaller, Mallox’s leak had very little impact. While the uploaded file is claimed to be 3+ GB, the .rar version takes up 2 GB and the file was uploaded to the file sharing website 2 hours before it was uploaded to data leak sites.

Mitigation and Prevention Strategies Against Mallox Ransomware

• Employee Education and Awareness:

• • Conduct regular training sessions to educate employees about the risks associated with ransomware attacks.
  • Emphasize the importance of identifying and avoiding phishing emails, malicious attachments, and suspicious links.
  • Encourage employees to report any suspicious activity immediately to the IT department.

• Password Security Measures:

• • Implement a policy for strong and unique passwords for all user accounts.
  • Enforce regular password updates and rotations.
  • Ensure passwords are at least 8 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters.

• Multi-Factor Authentication (MFA):

• • Enable MFA for all user accounts to add an extra layer of security.
  • Utilize reliable authentication methods such as mobile apps (e.g., Google Authenticator, Microsoft Authenticator), physical tokens, or smart cards.

• Regular System Updates and Patching:

• • Establish a routine schedule for updating and patching all systems, including operating systems, applications, and firmware.
  • Disable unnecessary or unused services and protocols to minimize vulnerabilities.

• Backup and Disaster Recovery (BDR) Plan:

• • Implement a robust backup and disaster recovery plan.
  • Conduct regular backups of all critical data and systems and store them securely in an offsite location.
  • Test backups periodically to ensure they can be restored quickly and effectively in case of a ransomware attack.

• Incident Response Plan (IRP) and Incident Response Retainer (IRR):

• • Develop a comprehensive IRP that outlines steps to be taken in the event of a ransomware attack.
  • Consider having an IRR with a trusted team of professionals available 24/7/365 to handle immediate actions, prevent data loss, reduce ransom payments, and address legal liabilities.

• Immediate Actions During a Ransomware Attack:

• • Isolate infected computers by disconnecting them from the internet and removing connected devices.
  • Contact local authorities (e.g., FBI field office, Internet Crime Complaint Centre) and provide necessary information such as ransom note screenshots, communications with attackers, and encrypted file samples.
  • Avoid restarting or shutting down systems to preserve evidence for digital forensics and investigation.

• Engage Ransomware Removal and Recovery Professionals:

• • If an IRP or IRR is not available, contact reputable ransomware removal and recovery professionals immediately.
  • Do not attempt to delete the ransomware or tamper with evidence, as it is crucial for investigation and identifying the attackers.

• Post-Attack Actions:

• • Identify the ransomware infection and gather information about its type and IOCs for further analysis.
  • Work with cybersecurity experts to remove the ransomware, eliminate exploit kits, and patch vulnerabilities to prevent future attacks.
  • Restore data from backups and utilize data recovery services if necessary, avoiding ransom payments as they do not guarantee data retrieval.

• Preventive Measures:

• • Install and regularly update antivirus/anti-malware software.
  • Employ reliable cybersecurity solutions, including firewalls and intrusion detection systems.
  • Maintain strong and secure passwords, and avoid using default credentials.
  • Keep software, applications, and operating systems up to date with the latest patches and security updates.
  • Conduct regular backups and test restoration processes.
  • Educate employees continuously on cybersecurity best practices and threat awareness.

By implementing these strategies, organizations can significantly reduce the risk of Mallox ransomware attacks and enhance overall cybersecurity resilience.

How Can SOCRadar Help?

SOCRadar presents a formidable defense against the Mallox ransomware threat. Our proactive threat monitoring and intelligence solutions are tailored to enhance your organization’s security stance. With our platform, you can actively track and analyze specific threat actors, gaining deep insights into their tactics, targeted vulnerabilities, affiliations, and indicators of compromise. This proactive approach empowers you to anticipate and counter potential threats effectively, safeguarding your valuable assets.

Furthermore, our Attack Surface Management module, equipped with the Ransomware Check function, offers continuous monitoring of all potential attack vectors. This ensures that you receive real-time alerts regarding any suspicious activities related to ransomware. By staying ahead of threats, you can swiftly respond and fortify your cybersecurity defenses, mitigating the risk posed by Mallox ransomware and other emerging threats.

MITRE ATT&CK Tactics and Techniques

Latest IoCs for Mallox Ransomware in SOCRadar Platform