Newly-discovered ransomware, known as Mallox, (alternatively named TargetCompany, FARGO, and Tohnichi), is launching an aggressive campaign against Microsoft SQL (MS-SQL) servers.
First appearing in June 2021, this specific strain of ransomware is particularly worrisome due to its focus on exploiting unsecured MS-SQL servers, giving it the potential to cause widespread network breaches.
Unit 42 security researchers, who recently identified the Mallox ransomware, reported an alarming 174% spike in incidents involving Mallox targeting MS-SQL servers, utilizing brute force attacks, data theft, and network scanners for distribution.
The Mallox Ransomware Modus Operandi
The perpetrators of the Mallox ransomware adopt a two-pronged strategy, engaging in both data encryption and theft, thereby applying considerable pressure on victims to pay the demanded ransom.
The Mallox group strategically displays stolen data, complete with redacted names and logos, while providing private keys for negotiations and payment processes.
While the Mallox group claims to have ensnared hundreds of victims, data from Unit 42 suggests that several dozen victims from a broad range of industries, including manufacturing, professional services, legal services, wholesale, and retail have been affected. Mallox activities have seen an unprecedented surge in 2023, with a staggering 174% increase in attacks compared to late 2022.
The group’s approach for initial access remains consistent: it targets unsecured MS-SQL servers via dictionary brute force attacks, followed by the use of command line and PowerShell to download the ransomware payload.
Execution of Mallox
Before successful encryption, the ransomware payload makes multiple attempts to take over the system. These attempts include:
- Stopping and removing SQL-related services using sc.exe and net.exe.
- Deleting volume shadows to limit file restoration post-encryption.
- Wiping logs with Microsoft’s wevtutil command line utility to evade detection and forensic analysis.
- Using takeown.exe to change file permissions and restrict access to critical system processes.
- Inhibiting manual System Image Recovery with bcdedit.exe.
- Utilizing taskkill.exe to terminate security processes and evade security solutions.
- Altering the registry key to circumvent Raccine anti-ransomware.
The Ransom Note
Upon successful infection, the ransomware leaves a ransom note in every directory on the victim’s drive. The note elucidates the nature of the infection and provides contact details for further proceedings.
Despite Mallox’s currently limited size and closed group, the team is actively seeking to expand by recruiting affiliates to further its illegal activities. If successful, Mallox could significantly broaden its sphere of influence, putting more organizations at risk.
Unit 42 advises robust configuration and timely patching of all internet-facing applications and systems as a crucial line of defense. This can significantly minimize the attack surface, thus limiting the opportunities for potential attackers.