A new ransomware strain dubbed, Mallox (aka TargetCompany, FARGO, and Tohnichi) is actively targeting and attacking Microsoft SQL (MS-SQL) servers.
Since June 2021, this new ransomware strain has been active, and it’s noteworthy, as it targets the MS-SQL servers that are not secured in an attempt to penetrate and breach the networks of the victims.
Mallox ransomware was recently identified by the security researchers at Unit 42, who noted a significant surge (174% ) in Mallox ransomware using MS-SQL servers for distribution, employing brute force, data exfiltration, and network scanners.
Mallox Ransomware
Mallox ransomware adopts double extortion tactics by encrypting files and stealing data, using it as leverage to pressure victims into paying the ransom.
With redacted names and logos, the group exhibits leaked data, giving victims private keys for negotiations and payments.
The group behind Mallox ransomware boasts hundreds of victims, but telemetry of Unit 42 reveals dozens worldwide from various industries, including:-
Manufacturing
Professional services
Legal services
Wholesale
Retail
Mallox activities surged throughout 2023, with a staggering 174% rise in attacks compared to late 2022.
The persistent Mallox group employs a consistent strategy for initial access, targeting unsecured MS-SQL servers via dictionary brute force, followed by command line and PowerShell to download the ransomware payload.
Execution of Mallox
For successful execution, the ransomware payload makes numerous attempts prior to encryption. Here below we have mentioned all the attempts:-
Attempts to stop and remove SQL-related services using sc.exe and net.exe.
Attempts to delete volume shadows, restricting file restoration after encryption.
Attempts to erase logs using Microsoft’s wevtutil command line, evading detection and forensic analysis.
Using takeown.exe, ransomware alters file permissions, blocking access to critical system processes like cmd.exe.
Blocks manual System Image Recovery with bcdedit.exe, limiting the system administrator’s options.
It uses taskkill.exe to terminate security processes and evade security solutions.
By removing the registry key, it tries to defeat Raccine anti-ransomware.
Ransom Note
In every directory on the drive of the victim, the ransomware drops a ransom note explaining the infection and offering contact details.
Although Mallox is a small and closed group, the group seeks growth by recruiting affiliates to expand its illicit operations. With successful affiliate recruitment, Mallox could broaden its scope and target additional organizations.
Unit 42 advises proper configuration and patching for internet-facing applications and systems to minimize the attack surface, limiting attackers’ options.