Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mallox ransomware. Show all posts
ransomware variant
Cyber Security Kryptina ransomware leaked source code Linux ransomware Mallox Linux 1.0 Mallox ransomware ransomware variant

New Mallox Ransomware Linux Variant Built on Leaked Kryptina Source Code

 

An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of Kryptina ransomware to target Linux systems, according to SentinelLabs. This development is distinct from other Linux-targeting Mallox variants, such as the one described by Trend Micro in June, signaling evolving tactics in the ransomware landscape.

Originally a Windows-only malware, Mallox is now expanding its focus to Linux and VMware ESXi systems, representing a notable shift for the operation. Kryptina, a ransomware-as-a-service (RaaS) platform launched in late 2023, was initially priced at $500-$800 but failed to gain popularity. In February 2024, its administrator, "Corlys," leaked the source code on hacking forums, which was later adopted by Mallox affiliates for rebranding.

Following an operational misstep by a Mallox affiliate that exposed their tools, SentinelLabs discovered the use of Kryptina’s source code to develop "Mallox Linux 1.0." The rebranded ransomware retains Kryptina’s core AES-256-CBC encryption mechanism, decryption routines, and command-line builder, with only superficial changes made to its appearance and documentation.

The investigation also uncovered other tools on the threat actor’s server, including a legitimate Kaspersky password reset tool, an exploit for a Windows privilege escalation flaw (CVE-2024-21338), PowerShell scripts, and Java-based Mallox payload droppers. It remains unclear whether Mallox Linux 1.0 is being used by a single or multiple affiliates within the Mallox operation.
Read more »
ransomware attacks
CERT-In Data Breach Mallox attack Mallox ransomware MS-SQL servers ransomware attacks

CERT-In Warns Against Mallox Ransomware Targeting Unsecured MS SQL Servers


Indian government’s nodal agency, CERT-In has issued warning about the Mallox ransomware that is exploiting MS-SQL servers through dictionary attacks.

By using dictionary attack method, the ransomware acquire unauthorized access to victims’ networks, finally succeeding in server compromise and data breaches.

The CERT-In alert states, “It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victim's ICT infrastructures to distribute the ransomware” “It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victim's network infrastructure.”

Apparently, Mallox ransomware uses double extortion techniques, through which it steals sensitive data before encrypting a company’s files. The threat actor then proceeds to threaten victims to leak the stolen data on leak sites if ransom demands are not fulfilled. 

Thus, it has become necessary for companies and individuals to take security measures actively in order to safeguard their MS-SQL servers from these attacks and prevent falling prey to the Mallox ransomware.

More About the Mallox Ransomware

A study by the Unit 42 researchers claims that compared to last year, Mallox ransomware activity has increased by 174%. Strong action is required to counter the threat as a result of the increase in attacks.

The hackers responsible for Mallox have discovered a way to use unprotected MS-SQL servers as a gateway into their victims' networks, expanding their scope and the potential harm they might cause.

Moreover, the ransomware group utilizes several tools, one of them being a network scanner and data exfiltration techniques in order to cover traces of their illicit infiltration and evade security obstacles.

Once the Mallox Ransomware gains access to a target network, it attacks with lethal accuracy. Using the command line and PowerShell, the ransomware payload is downloaded from a remote server, preparing the environment for the malicious encryption procedure. Additionally, it tries to delete volume shadows, which presents a formidable barrier for the affected organization when trying to restore files.

Mallox takes additional deliberate steps to avoid detection and obstruct the forensic investigation. Application, security, setup, and system event logs are cleared by the ransomware, leaving minimal evidence of its operations.

Also, it changes file permissions, blocks users from accessing essential system functions, and shuts down security-related services.

Recommendations by CERT-In 

CERT-In shares a list of strategies that will help organizations mitigate the risk of Mallox ransomware and shares steps to secure their Microsoft SQL Server. 

  • Avoid exposing SQL Servers on the Internet’s default port (1433). Adopt secure connections like VPNs instead.
  • Disable or strengthen the SA account to minimize the risk of unauthorized access. 
  • Audit SQL CLR Assemblies and remove any unwanted ones. 
  • Implementing a firewall, allowing incoming traffic only from trusted networks and IP addresses. 
  • Keep SQL Server up to date with the latest patches and updates. 
  • Enforce the use of strong and unique passwords for all SQL logins. 
  • Configure account lockout policies to counter brute force attacks. 
  • Encrypt data in transit using SSL/TLS to protect against eavesdropping. 
  • Monitor SQL Server activity through auditing to detect and respond to threats promptly.  

Read more »
Subscribe to: Posts (Atom)