An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of Kryptina ransomware to target Linux systems, according to SentinelLabs. This development is distinct from other Linux-targeting Mallox variants, such as the one described by Trend Micro in June, signaling evolving tactics in the ransomware landscape.
Originally a Windows-only malware, Mallox is now expanding its focus to Linux and VMware ESXi systems, representing a notable shift for the operation. Kryptina, a ransomware-as-a-service (RaaS) platform launched in late 2023, was initially priced at $500-$800 but failed to gain popularity. In February 2024, its administrator, "Corlys," leaked the source code on hacking forums, which was later adopted by Mallox affiliates for rebranding.
Following an operational misstep by a Mallox affiliate that exposed their tools, SentinelLabs discovered the use of Kryptina’s source code to develop "Mallox Linux 1.0." The rebranded ransomware retains Kryptina’s core AES-256-CBC encryption mechanism, decryption routines, and command-line builder, with only superficial changes made to its appearance and documentation.
The investigation also uncovered other tools on the threat actor’s server, including a legitimate Kaspersky password reset tool, an exploit for a Windows privilege escalation flaw (CVE-2024-21338), PowerShell scripts, and Java-based Mallox payload droppers. It remains unclear whether Mallox Linux 1.0 is being used by a single or multiple affiliates within the Mallox operation.
