In the realm of cyber threats, a new and dangerous ransomware strain named Mallox has emerged, targeting Microsoft SQL (MS-SQL) servers that lack proper security measures. Since its inception in June 2021, Mallox has rapidly gained momentum, employing brute force, data exfiltration, and network scanners to breach victims’ networks. The ransomware deploys double extortion tactics, encrypting files and stealing data to coerce victims into paying the ransom. Identified by security researchers at Unit 42, Mallox’s activities have surged in 2023, witnessing a staggering 174% rise in attacks compared to the previous year.Mallox Ransomware’s Modus Operandi:Mallox ransomware exploits unsecured MS-SQL servers as its entry point. The cybercriminals use dictionary brute force techniques to gain initial access, followed by command-line and PowerShell to download the ransomware payload. The malicious payload executes numerous attempts before initiating encryption to maximize its impact and evade detection.Attempts to stop and remove SQL-related services using sc.exe and net.exe.Attempts to delete volume shadows, preventing file restoration after encryption.Attempts to erase logs using Microsoft’s wevtutil command line, evading detection and forensic analysis.Uses takeown.exe to alter file permissions, blocking access to critical system processes like cmd.exe.Blocks manual System Image Recovery with bcdedit.exe, limiting the system administrator’s options.Uses taskkill.exe to terminate security processes and evade security solutions.Removes the registry key to defeat Raccine anti-ransomware.Double Extortion Strategy:Once the encryption process is complete, Mallox employs a double extortion strategy. The ransomware not only encrypts files, rendering them inaccessible, but also exfiltrates sensitive data from the victim’s network. This stolen data is then used as leverage to coerce the victim into paying the ransom. Mallox’s website on the Tor network showcases the leaked data, and the group behind the ransomware boasts numerous victims worldwide, including industries such as manufacturing, professional services, legal services, wholesale, and retail.Growth and Expansion:Despite being a relatively small and closed group, Mallox aims to expand its illicit operations by recruiting affiliates. By collaborating with affiliates, the ransomware’s reach could broaden, putting additional organizations at risk of falling victim to the cyber attack.Defense Measures and Recommendations:Unit 42 advises organizations to implement proper configuration and patching for internet-facing applications and systems to minimize the attack surface. This includes strengthening security protocols for MS-SQL servers and adopting robust authentication measures to deter brute force attacks. Regular updates and monitoring can help detect and mitigate cyber threats promptly.Conclusion:Mallox ransomware poses a significant threat to organizations, particularly those with unsecured MS-SQL servers. Its aggressive attack techniques and double extortion strategy have already caused distress to numerous victims across various industries. As the cyber landscape evolves, proactive measures, collaboration among security stakeholders, and swift response to cyber incidents are crucial in the fight against such ransomware threats.
