Mallox ransomware activity increased 174% in 2023 compared to the previous year, according to new research from Palo Alto Networks Unit 42.
“Mallox ransomware, like many other ransomware attackers, steals data before encrypting an organization’s files and then uses the stolen data as a means to convince victims to pay the ransom. It follows a dual extortion trend of threatening to publish on leak sites,” researchers Lior Rochberger and Simi Cohen said in a new report shared with HackerNews.
Mallox has been associated with threat actors that have also linked to other ransomware strains such as TargetCompany, Tohnichi, Fargo and most recently Xollam. First appeared in June 2021.
Prominent sectors targeted by Mallox include manufacturing, professional and legal services, wholesale and retail, and others.
A notable aspect of this group is their pattern of exploiting poorly secured MS-SQL servers via dictionary attacks as an intrusion vector to compromise victim networks. Xollam deviates from the norm and has been observed using malicious OneNote file attachments for initial access, as Trend Micro detailed last month.
Once it gains a foothold on an infected host, it runs a PowerShell command to retrieve the ransomware payload from the remote server.
This binary attempts to stop and remove SQL-related services, remove volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine, an open-source tool designed to combat ransomware attacks. . The encryption process is started and after that the ransom note is dropped on all the directories.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
TargetCompany remains a small and closed group, but has also been observed recruiting affiliates for its Mallox ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercrime forum.
The development comes as ransomware continues to be a lucrative financial scheme, generating at least $449.1 million in profits for cybercriminals in the first half of 2023 alone, according to Chainalysis.
“Mallox ransomware group has seen increased activity in recent months, and recent recruitment campaigns may allow it to attack more organizations if the recruitment campaign is successful,” the researchers said.
