Mallox

Malware updated 2 months ago (2024-09-23T22:00:54.040Z)

Download STIX

Preview STIX

Mallox is a potent malware that has been causing significant disruption in the digital world. This ransomware, primarily infiltrating networks via SQL servers, has shown its ability to adapt and evolve over time. PCrisk has identified new variants of Mallox that append extensions such as .ma1x0, .cookieshelper, and .karsovrop, each dropping a unique ransom note on the victim's system. SentinelLabs further explains the complex nature of this malware, describing it as a part of a "complex menagerie of cross-pollinated toolsets and non-linear codebases," indicating the intricate and evolving landscape of ransomware threats. The Mallox ransomware group has adopted Kryptina, a Ransomware-as-a-Service (RaaS) tool initially available for free on dark web forums. In an interesting development, a Mallox affiliate updated Kryptina’s source code and documentation, translating it into Russian and adjusting branding but leaving encryption routines largely intact. This resulted in a variant known as “Mallox v1.0,” which uses AES-256 encryption with minor changes to the original code. It retains the core functionality of Kryptina while removing its branding, signaling the commoditization of ransomware tools in the cybercrime market. However, the group faced a setback in May 2024 when a Mallox affiliate leaked server data, revealing the use of a modified version of Kryptina to power Linux-based ransomware attacks. Despite this, Mallox remains a serious threat to enterprises. By understanding the nature and evolution of Mallox ransomware, organizations can implement appropriate security measures to safeguard their digital assets and minimize the risk of falling victim to this malicious software.

Description last updated: 2024-09-23T21:15:44.096Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Targetcompany is a possible alias for Mallox. TargetCompany is a known malware entity, often referred to as Mallox, Tohnichi, or Fargo in various articles and blog posts. This malicious software is designed to infiltrate and damage computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, o	6
Fargo is a possible alias for Mallox. Fargo, also known as Mallox and Tohnichi, is a ransomware strain that targets Microsoft Windows systems. It first surfaced in June 2021 and has since claimed to have infected hundreds of organizations worldwide. This malicious software is distributed primarily to unsecured MS-SQL servers, exploiting	4
Tohnichi is a possible alias for Mallox. Tohnichi, also known as Mallox, TargetCompany, and Fargo, is a ransomware strain that primarily targets Microsoft Windows systems. This malware first surfaced in June 2021 and has since claimed to have infected hundreds of organizations worldwide. The group behind this malicious software is associat	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Extortion

Malware

Encryption

Windows

RaaS

Ransomware P...

Linux

Remcos

Payload

Vulnerability

Cybercrime

Sql

Antivirus

Exploit

Downloader

Loader

Encrypt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Batcloak Malware is associated with Mallox. BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository	Unspecified	2
The Lockbit Malware is associated with Mallox. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2

Source Document References

Information about the Mallox Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 months ago	Kryptina Ransomware Resurfaces in Enterprise Attacks By Mallox
Securityaffairs	2 months ago	Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION
Securelist	3 months ago	Evolution of Mallox: from private ransomware to RaaS
Securelist	4 months ago	Ransomware variants available online give rise to new cybercrime groups
DARKReading	6 months ago	Mallox Ransomware Variant Targets Privileged VMWare ESXi Environments
InfoSecurity-magazine	6 months ago	Mallox Ransomware Deployed Via MS-SQL Honeypot Attack
Securelist	6 months ago	Kaspersky Anti-Ransomware Day report 2024
CERT-EU	9 months ago	Support need About Mallox files - Ransomware Help & Tech Support
CERT-EU	9 months ago	The Week in Ransomware - March 1st 2024 - Healthcare under siege
DARKReading	10 months ago	Nigerian Businesses Face Growing Ransomware-as-a-Service Trade
CERT-EU	a year ago	The Week in Ransomware - January 5th 2024 - Secret decryptors
CERT-EU	a year ago	Cyber Security Today, Week in Review for the week ending Friday, July 21, 2023 \| IT World Canada News
CERT-EU	a year ago	Cyber Briefing: 2023.12.28. 👉 What’s going on in the cyber world… \| by CyberMaterial \| Dec, 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server
CERT-EU	a year ago	TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server \| IT Security News
CERT-EU	a year ago	8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	New Yashma Ransomware Variant Targets Multiple English-Speaking Countries
CERT-EU	a year ago	8Base Ransomware Emerges from the Shadows
CERT-EU	a year ago	PLAY Ransomware Attack Hits New Victims, 7 Firms Listed
Quick Heal Technologies Ltd.	a year ago	Mallox Ransomware Strikes Unsecured MSSQL Servers