Mallox Ransomware Targets Microsoft SQL Servers - A Growing Threat

Introduction

Since its emergence in June 2021, a new and highly dangerous ransomware strain called Mallox, also known as TargetCompany, FARGO, and Tohnichi, has been actively targeting and attacking Microsoft SQL (MS-SQL) servers. This ransomware is particularly notorious for exploiting unsecured MS-SQL servers to gain access to victims' networks. Security researchers at Unit 42 have recently identified a significant surge in Mallox ransomware, with a 174% increase in attacks compared to late 2022. The group behind Mallox employs a double extortion strategy, encrypting files and stealing data to pressure victims into paying the ransom.

Distribution and Targeted Industries

Mallox ransomware has been widespread, with hundreds of victims falling prey to the attacks. According to Unit 42 telemetry, the ransomware has affected various industries, including manufacturing, professional services, legal services, wholesale, and retail. The group's malicious activities have been persistent and escalated in 2023.

Execution Techniques

To successfully execute the ransomware payload, Mallox employs multiple tactics to evade detection and hinder recovery attempts. It first gains initial access by targeting vulnerable MS-SQL servers through dictionary brute force attacks. Then, the ransomware uses command line and PowerShell to download and deploy the payload. Prior to encryption, Mallox makes several attempts to:

• Stop and remove SQL-related services using sc.exe and net.exe.
• Delete volume shadows, making file restoration after encryption challenging.
• Erase logs using Microsoft's wevtutil command line, thereby evading detection and forensic analysis.
• Alter file permissions using takeown.exe to block access to critical system processes like cmd.exe.
• Block manual System Image Recovery with bcdedit.exe, limiting the system administrator's recovery options.
• Terminate security processes using taskkill.exe to bypass security solutions.
• Remove the registry key to defeat Raccine anti-ransomware.

Ransom Note

Mallox ransomware follows the common practice of leaving a ransom note in each directory on the victim's drive, explaining the infection and providing contact details for ransom payment.

Threat of Expansion

Although Mallox is currently a relatively small and closed group, it aims to grow its illicit operations by recruiting affiliates. Through successful recruitment, Mallox could expand its scope and target additional organizations, posing an even more significant threat to cybersecurity.

Mitigating the Risk

In light of the growing threat from Mallox ransomware, Unit 42 advises organizations to take proactive measures to minimize their attack surface. Proper configuration and patching of internet-facing applications and systems can limit attackers' options and reduce the likelihood of successful breaches.

Conclusion

Mallox ransomware continues to be a severe threat to organizations worldwide, exploiting vulnerabilities in Microsoft SQL servers to carry out devastating attacks. To protect against such ransomware strains, it is crucial for organizations to prioritize cybersecurity measures, including regular patching and securing their MS-SQL servers to prevent unauthorized access.