Mallox Ransomware Goes After Victims by Hitting MS-SQL Servers

Palo Alto Networks Unit 42 reported a staggering 174% surge in Mallox ransomware activities in 2023, as compared to the previous year.

Like many other ransomware threat actors, Mallox ransomware has adopted the double extortion strategy. This approach involves stealing sensitive data from organizations before encrypting their files. Subsequently, the threat actors threaten to release the stolen data on a leak site to coerce victims into paying the ransom fee. Security researchers Lior Rochberger and Shimi Cohen shared these findings in a report with website The Hacker News.

Mallox is associated with a threat actor known for operating other ransomware strains such as TargetCompany, Tohnichi, Fargo, and the more recent Xollam. Its emergence dates back to June 2021.

The sectors most prominently targeted by Mallox include manufacturing, professional and legal services, and wholesale and retail industries.

Mallox Goes After MS-SQL Servers

One of the distinct characteristics of this group is its exploitation of poorly secured MS-SQL servers through dictionary attacks as a means of penetrating victims' networks. However, a deviation from this pattern has been observed in Xollam, which, as disclosed by Trend Micro last month, uses malicious OneNote file attachments for initial access.

Once the attackers gain a foothold on the infected host, they execute a PowerShell command to retrieve the ransomware payload from a remote server.

The binary employed by Mallox takes several steps to ensure its malicious activities go undetected and uninhibited. It attempts to stop and remove SQL-related services, delete volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine - an open-source tool designed to counter ransomware attacks. Only after completing these steps, it initiates its encryption process, followed by the placement of a ransom note in every compromised directory.