Mallox Ransomware: How Linux Servers Are Now a Prime Target in 2024

Mallox ransomware, known for wreaking havoc on unsecured Microsoft SQL (MSSQL) servers, has evolved into a sophisticated multi-platform threat. Since mid-2021, this Ransomware-as-a-Service (RaaS) model has expanded its capabilities, targeting Linux environments through custom Python scripts. The rise of Mallox Linux 1.0 marks a significant turning point, as the ransomware group integrates double extortion tactics and innovative persistence mechanisms.

In this article, we break down Mallox's techniques, discuss how businesses can defend against it, and analyze what sets it apart from other ransomware variants.

Ransomware-as-a-Service: Understanding the Mallox Business Model

Mallox operates under a Ransomware-as-a-Service (RaaS) model, where affiliates execute the attacks while the operators maintain the software and infrastructure. Since its first appearance in mid-2021, Mallox has continued to gain momentum, leveraging underground forums such as Nulled and RAMP to recruit affiliates. The attackers share profits, creating a lucrative and scalable operation that adapts quickly to new environments.

Key Features of Mallox RaaS:

• Affiliates vs. Operators: Mallox attacks can be conducted by the original operators or affiliates.
• Global Reach: Mallox attacks have been observed across various countries and sectors, with no clear regional focus.

Mallox's Initial Attack Methods: Exploiting Unsecured MSSQL Servers

The initial access method for Mallox ransomware often involves exploiting weakly secured MSSQL servers. Several key techniques make this ransomware particularly dangerous:

• Unpatched Vulnerabilities: The group frequently targets unpatched systems, specifically using vulnerabilities like CVE-2019-1068 and CVE-2020-0618 in Microsoft SQL Server.
• PowerShell Scripts: Mallox actors use PowerShell droppers, such as Alta, once inside.ps1, found in the AppData directories of compromised MSSQL service accounts, to deliver the ransomware payload.
• Brute-Force Attacks: In some cases, brute-force attacks against weakly configured MSSQL services exposed to the public internet are used to gain access.

Persistence Through Legitimate Tools

Once the attackers have infiltrated a system, they often use legitimate software to establish a backdoor:

• AnyDesk Installation: Mallox attackers frequently install AnyDesk, a legitimate remote desktop tool, for persistent access without relying on malware. Other ransomware groups, like Akira, also use this strategy.
• Mimikatz for Credential Dumping: The attackers deploy Mimikatz, a well-known open-source tool, to dump credentials and escalate privileges, often gaining domain administrator access. With domain admin rights, the attackers compromise the entire network.

Network Enumeration and Lateral Movement

Once access is obtained, Mallox ransomware actors map the network and move laterally within it to identify valuable targets for data exfiltration:

• Network Mapping: To understand the network layout, the attackers use SoftPerfect's legitimate netscan.exe tool (renamed netscanold.exe).
• Creating User Accounts: They often create new user accounts, like SystemUI, using batch scripts such as system.bat to move users across the network.

Data Exfiltration and Double Extortion Tactics

Mallox attackers don't just encrypt data; they also steal it, threatening to publish the stolen data on the dark web if the ransom isn't paid:

• FileZilla for Data Exfiltration: Using the legitimate file transfer tool FileZilla, attackers exfiltrate sensitive data over FTP or SFTP. This stolen data is later used for double extortion, where the attackers demand a ransom for decryption and threaten to leak the data.
• Mallox Dark Web Blog: If the ransom isn't paid, the stolen data is published on the Mallox dark web blog. The blog includes leaked information about compromised companies and their exfiltrated data.

Mallox Linux 1.0: A New Variant with Custom Python Scripts

The Linux variant of Mallox, known as Mallox Linux 1.0, utilizes custom Python scripts to deliver ransomware payloads and manage encryption processes:

• Custom Python Scripts: Attackers use a Flask-based script, web_server.py, to create encryption builds and handle user authentication. This script provides an easily customizable ransomware deployment for affiliates.
• AES-256-CBC Encryption: As with the Windows variant, Mallox Linux 1.0 uses AES-256-CBC encryption, appending file extensions like .mallab to encrypted files.
• Exfiltration Mechanism: Mallox Linux scripts are highly adaptable, making exfiltrating sensitive information from Linux servers easier.

Mallox Ransomware Mechanics

Before encrypting files, Mallox ransomware takes several steps to turn off recovery and ensure system performance:

• Disabling Recovery Mechanisms: The ransomware turns off system recovery via the bcedit command, preventing administrators from restoring the system using built-in recovery tools.
• Geographic Termination: The malware checks the system's region and terminates the attack if it detects that the system is located in Russia or nearby regions, likely to avoid prosecution in those countries.
• Performance Optimization: Mallox optimizes system performance by changing the Windows power plan to "High Performance" to speed up the encryption process.

Indicators of Compromise (IoCs)

Monitoring IoCs is crucial for early detection and prevention of Mallox attacks. Here are some key IoCs associated with Mallox:

• Files:system.bat (SHA256=0e05b8d0a88660c00510abde3aade43291e774880ed001e3a88dbb753dcb6f52)netscanold.exe (SHA256=572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b)addt.ps1 (SHA256=dc404d498cc6443db5c872e6acfa394641c83313263fe2373535d7eeb49a62e9)
• IP Addresses:91.215.85.14280.66.75.66203.154.255.114

Using tools like FOFA and Censys, security teams can scan for these IoCs to identify compromised systems or ransomware infrastructure.

How to Protect Your Linux Servers from Mallox Ransomware

1. Patch Vulnerabilities: Ensure all servers, particularly MSSQL and SSH services, are updated with the latest patches. Mallox targets outdated and unpatched systems.
2. Secure SSH Configurations: Implement strong SSH configurations with multi-factor authentication (MFA) to prevent brute-force attacks.
3. Limit Public-Facing Services: Restrict critical services from public access by using VPNs and firewalls.

What to Do if Infected by Mallox

1. Isolate the Infected Systems: Disconnect compromised systems from the network immediately.
2. Seek Professional Help: Contact cybersecurity experts to assess the damage and explore recovery options.
3. Avoid Paying the Ransom: Paying does not guarantee recovery and can lead to further exploitation.

Conclusion

Mallox ransomware continues to evolve, posing a threat to Windows and Linux environments. Its RaaS model allows for quick adaptation and widespread attacks, making it crucial for organizations to stay ahead. The key to defending against Mallox lies in proactive measures: patching vulnerabilities, securing access points, and monitoring for IoCs.

Engage With Us: What are your strategies for defending against ransomware like Mallox? Share your insights and join the conversation.

Reference Links:

https://live.paloaltonetworks.com/t5/community-blogs/threat-group-assessment-mallox-ransomware/ba-p/555380

https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/

https://www.uptycs.com/blog/threat-research-report-team/mallox-ransomware-linux-variant-decryptor-discovered

https://www.rewterz.com/threat-advisory/new-linux-version-of-mallox-ransomware-based-on-leaked-kryptina-code-active-iocs