By using dictionary attack method, the ransomware acquire unauthorized access to victims’ networks, finally succeeding in server compromise and data breaches.
The CERT-In alert states, “It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victim's ICT infrastructures to distribute the ransomware” “It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victim's network infrastructure.”
Apparently, Mallox ransomware uses double extortion techniques, through which it steals sensitive data before encrypting a company’s files. The threat actor then proceeds to threaten victims to leak the stolen data on leak sites if ransom demands are not fulfilled.
Thus, it has become necessary for companies and individuals to take security measures actively in order to safeguard their MS-SQL servers from these attacks and prevent falling prey to the Mallox ransomware.
More About the Mallox Ransomware
A study by the Unit 42 researchers claims that compared to last year, Mallox ransomware activity has increased by 174%. Strong action is required to counter the threat as a result of the increase in attacks.
The hackers responsible for Mallox have discovered a way to use unprotected MS-SQL servers as a gateway into their victims' networks, expanding their scope and the potential harm they might cause.
Moreover, the ransomware group utilizes several tools, one of them being a network scanner and data exfiltration techniques in order to cover traces of their illicit infiltration and evade security obstacles.
Once the Mallox Ransomware gains access to a target network, it attacks with lethal accuracy. Using the command line and PowerShell, the ransomware payload is downloaded from a remote server, preparing the environment for the malicious encryption procedure. Additionally, it tries to delete volume shadows, which presents a formidable barrier for the affected organization when trying to restore files.
Mallox takes additional deliberate steps to avoid detection and obstruct the forensic investigation. Application, security, setup, and system event logs are cleared by the ransomware, leaving minimal evidence of its operations.
Also, it changes file permissions, blocks users from accessing essential system functions, and shuts down security-related services.
Recommendations by CERT-In
CERT-In shares a list of strategies that will help organizations mitigate the risk of Mallox ransomware and shares steps to secure their Microsoft SQL Server.
- Avoid exposing SQL Servers on the Internet’s default port (1433). Adopt secure connections like VPNs instead.
- Disable or strengthen the SA account to minimize the risk of unauthorized access.
- Audit SQL CLR Assemblies and remove any unwanted ones.
- Implementing a firewall, allowing incoming traffic only from trusted networks and IP addresses.
- Keep SQL Server up to date with the latest patches and updates.
- Enforce the use of strong and unique passwords for all SQL logins.
- Configure account lockout policies to counter brute force attacks.
- Encrypt data in transit using SSL/TLS to protect against eavesdropping.
- Monitor SQL Server activity through auditing to detect and respond to threats promptly.