MS-SQL Servers Under Siege: Mallox Ransomware Deployed via Honeypot

NEWS | 13 MAY 2024

A recent incident involving an MS-SQL (Microsoft SQL) honeypot has highlighted the sophisticated tactics employed by cyber-attackers using Mallox ransomware (also known as Fargo, TargetCompany, Mawahelper, etc.). The honeypot, set up by the Sekoia research team, was targeted by an intrusion set using brute-force techniques to deploy Mallox ransomware via PureCrypter, exploiting various MS-SQL vulnerabilities.

Attack Overview

The Sekoia research team deployed an MS-SQL honeypot to monitor potential cyber-attacks and gather intelligence on the methods used by attackers. Shortly after deployment, the honeypot was compromised through a brute-force attack targeting the “sa” (SQL Administrator) account. The account was compromised within an hour, demonstrating the attackers' persistence and determination.

Technical Analysis

The technical analysis of the Mallox ransomware attack on the MS-SQL honeypot revealed several sophisticated tactics and techniques employed by the attackers. Here is an in-depth look at the mechanisms used:

Initial Compromise

The attackers gained initial access to the MS-SQL server by targeting the “sa” account through a brute-force attack. This account, often the default administrative account in MS-SQL installations, is a common target due to its high level of privileges. The attackers used automated tools to repeatedly attempt various password combinations until they successfully gained access.

Exploitation Techniques

Once the “sa” account was compromised, the attackers utilized several techniques to maintain control over the server and prepare it for ransomware deployment:

1. Enabling Specific Parameters: The attackers adjusted SQL Server settings to facilitate malicious activities. This included enabling features that are typically disabled for security reasons.
2. Creating Assemblies: Custom .NET assemblies were created and deployed on the server. These assemblies were used to execute arbitrary code within the SQL Server environment.
3. Executing Commands via xp_cmdshell and Ole Automation Procedures: The attackers leveraged built-in SQL Server functions like xp_cmdshell and Ole Automation Procedures to run system commands. These functions allow for the execution of operating system commands directly from SQL Server, providing a powerful tool for attackers.

Payload Deployment

The payloads used in the attack corresponded to PureCrypter, a loader developed in .NET. The deployment process included several stages:

1. Downloading Malicious Files: PureCrypter downloaded files with random multimedia extensions containing encrypted .NET libraries. These files were designed to evade detection by masquerading as benign multimedia files.
2. Reflective Loading and Decryption: The encrypted .NET libraries were reflectively loaded into memory, decrypted, and executed. This technique avoids writing the malicious code to disk, making it harder for traditional antivirus solutions to detect.
3. Loading Mallox Ransomware: Once the PureCrypter payload was executed, it proceeded to load the Mallox ransomware. PureCrypter employs various evasion techniques, such as environment detection and privilege adjustments, to avoid detection and ensure successful execution.

Ransomware Execution

Mallox ransomware follows a multi-stage execution process:

1. Environment Checks: The ransomware performs several checks to ensure it is running in a suitable environment. This includes verifying the presence of specific files and system configurations.
2. File Encryption: The ransomware scans the system for files to encrypt. It uses strong encryption algorithms to ensure that the files cannot be decrypted without the corresponding key. The encrypted files are typically given a new extension to indicate they are locked.
3. Ransom Note Deployment: A ransom note is created and placed in directories containing encrypted files. This note provides instructions for the victim on how to pay the ransom to recover their data.
4. Data Exfiltration: In addition to encrypting files, Mallox ransomware exfiltrates sensitive data from the victim’s system. This data is used as leverage in the double extortion strategy, threatening to publish the data if the ransom is not paid.

Mallox Ransomware Characteristics

Mallox ransomware, a Ransomware-as-a-Service (RaaS) operation, has been active since at least June 2021. The Mallox group uses a double extortion strategy, threatening to publish stolen data in addition to encrypting it. This approach increases the pressure on victims to pay the ransom, as they face not only data loss but also potential exposure of sensitive information .

Role of Affiliates

The Sekoia research identified two distinct affiliates involved in the Mallox operation, each using different approaches. One affiliate focused on exploiting vulnerable assets, while the other aimed at broader system compromises. Affiliates such as Maestro, Vampire, and Hiervos exhibit different tactics and ransom demands, highlighting the diverse strategies used within the Mallox group.

Suspicious Hosting Activities

The research also raised suspicions regarding the hosting company Xhost Internet, linked to AS208091. This company has been associated with ransomware activity in the past. While formal links to cybercrime remain unproven, the involvement of this AS in previous ransomware compromises and the longevity of its IP address monitoring is intriguing. Sekoia.io analysts continue to monitor activities associated with this AS and investigate related operations .

Impact of the Mallox Ransomware Attack

The Mallox ransomware attack had several notable impacts. Firstly, it compromised critical business data stored on the MS-SQL server. This included financial records, customer information, and intellectual property that could be sold on dark web markets. Secondly, the compromised MS-SQL server presented an entry point into the organization’s network, allowing attackers to deploy additional ransomware or conduct other malicious activities.

Data Loss

The primary impact of Mallox ransomware is data loss due to file encryption. The ransomware uses strong encryption algorithms that make it nearly impossible to recover files without the decryption key. This can result in significant data loss for organizations that do not have proper backups. Additionally, the exfiltration of sensitive data increases the risk of data being publicly released, leading to reputational damage and potential legal consequences.

Data Recovery

Data recovery in the aftermath of a ransomware attack is challenging. If a victim has reliable backups, they can restore their systems without paying the ransom. However, this requires that backups are regularly maintained and stored securely offline to prevent them from being compromised during the attack. In cases where no backups are available, organizations face difficult choices: either pay the ransom with no guarantee of data recovery or accept the loss of data.

If you need to recover an encrypted database, you can try a free download and scan your database with the software Stellar Repair for MS SQL For further assistance, Stellar Support, with extensive experience in recovering databases from encryption, is available to help .

Differences from Other Ransomware Families

Mallox ransomware shares several characteristics with other ransomware families but also has unique attributes:

• Double Extortion: While many ransomware families use double extortion, Mallox ransomware has been particularly aggressive in this approach, significantly increasing the pressure on victims.
• Ransomware-as-a-Service (RaaS): The Mallox group operates as a RaaS, allowing affiliates to use the ransomware in exchange for a share of the ransom. This model is similar to other ransomware groups but has allowed Mallox to rapidly expand its reach.
• Evasion Techniques: Mallox ransomware employs advanced evasion techniques, making it more challenging to detect and analyze compared to some other ransomware variants.

Tips for Protecting Against Ransomware

To protect against ransomware attacks like Mallox, organizations should implement the following best practices:

1. Regular Backups: Implement a robust backup strategy, including regular and automated backups. Ensure that backups are stored offline and are tested periodically for integrity.
2. Patch Management: Keep your MS-SQL Server and all related software up-to-date with the latest patches and security updates.
3. Access Control: Use strong, unique passwords and enforce multi-factor authentication (MFA) for accessing MS-SQL Server instances. Limit access to critical systems to only those who need it.
4. Network Segmentation: Isolate MS-SQL Servers from other parts of the network to minimize the impact of a ransomware attack. Implement firewalls and intrusion detection/prevention systems (IDS/IPS).
5. Monitoring and Detection: Use security monitoring tools to detect suspicious activities and potential threats. Regularly review logs and alerts for signs of ransomware attempts.
6. User Training: Educate employees about the dangers of phishing and other social engineering tactics. Regular training can help prevent the initial delivery of ransomware.

Conclusion

The Mallox ransomware attack on the MS-SQL honeypot underscores the need for robust security measures to protect SQL Servers. Regularly updating systems, implementing strong access controls, and monitoring for suspicious activities are crucial steps in mitigating the risk of ransomware attacks. The ongoing efforts by researchers and security professionals to understand and counter these threats are vital in the fight against cybercrime. As cyber-attacks become increasingly sophisticated, staying informed and proactive is essential for safeguarding critical data and systems.

Checkout the case study where we have decrypted ransomware locked data, recovered essential business information and recoved acces to vital data for a packaging solutions company.

Sources:

1. Mallox Ransomware Analysis
2. Mallox Ransomware Threat Report
3. Xhost Internet and Ransomware Activity
4. Stellar Repair for MS SQL