Mallox Ransomware Gang Expands Arsenal, Targets Linux Systems
Experts at Uptycs have discovered a new variant of the Mallox ransomware, specifically designed for Linux systems. This malicious software encrypts victims’ data, rendering it inaccessible until a ransom is paid.
The attackers utilize a custom Python script to deliver the malware to the target system. The script is a web panel for Mallox based on the Flask framework, which connects to an internal database using system environment variables as credentials. This mechanism provided researchers with insights into the attackers’ infrastructure.
Mallox, also known as Fargo, TargetCompany, and Mawahelper, poses a significant threat due to its web panel, which allows cybercriminals to create customized versions of Mallox, manage their deployment, and even upload the ransomware itself.
The new version of Mallox encrypts victims’ data and appends the “.locked” extension to the encrypted files. Previous versions used .NET, .EXE, or .DLL files, distributed via MS-SQL servers, phishing emails, or spam. The malware includes routes for various functions such as user authentication, build management, new user registration, password resets, and creating new ransomware variants.
Additionally, the admin panel enables user profile management, log viewing, account actions, and includes a chat interface and a customizable 404 error page.
Mallox’s encryption process is based on the AES-256-CBC algorithm, a highly secure encryption standard. This method makes it virtually impossible for victims to decrypt their files without the decryption key held by the attackers.
Mallox operations have been active since mid-2021. Since mid-2022, the Mallox group has transitioned to a Ransomware-as-a-Service (RaaS) model. The group employs multi-stage extortion tactics, encrypting victims’ data and threatening to publish it on public TOR sites.
Fortunately, Uptycs experts have discovered a decryption tool for Mallox. However, the creators of Mallox may update their ransomware to evade decryption, so the discovered tool may only provide a temporary solution.
