Mallox Ransomware Attacking MS-SQL Servers to Compromise Victims’ Networks

A new ransomware strain dubbed, Mallox (aka TargetCompany, FARGO, and Tohnichi) is actively targeting and attacking Microsoft SQL (MS-SQL) servers.

Since June 2021, this new ransomware strain has been active, and it’s noteworthy, as it targets the MS-SQL servers that are not secured in an attempt to penetrate and breach the networks of the victims.

Mallox ransomware was recently identified by the security researchers at Unit 42, who noted a significant surge (174% ) in Mallox ransomware using MS-SQL servers for distribution, employing brute force, data exfiltration, and network scanners.

Mallox attack attempts (Source – Unit 42)

Mallox Ransomware

Mallox ransomware adopts double extortion tactics by encrypting files and stealing data, using it as leverage to pressure victims into paying the ransom.

Mallox website on Tor (Source – Unit 42)

With redacted names and logos, the group exhibits leaked data, giving victims private keys for negotiations and payments.

Mallox private chat (Source – Unit 42)

The group behind Mallox ransomware boasts hundreds of victims, but telemetry of Unit 42 reveals dozens worldwide from various industries, including:-

  • Manufacturing
  • Professional services
  • Legal services
  • Wholesale
  • Retail

Mallox activities surged throughout 2023, with a staggering 174% rise in attacks compared to late 2022.

The persistent Mallox group employs a consistent strategy for initial access, targeting unsecured MS-SQL servers via dictionary brute force, followed by command line and PowerShell to download the ransomware payload.

SQL server exploitation (Source – Unit 42)

Execution of Mallox

For successful execution, the ransomware payload makes numerous attempts prior to encryption. Here below we have mentioned all the attempts:-

  • Attempts to stop and remove SQL-related services using sc.exe and net.exe.
  • Attempts to delete volume shadows, restricting file restoration after encryption.
  • Attempts to erase logs using Microsoft’s wevtutil command line, evading detection and forensic analysis.
  • Using takeown.exe, ransomware alters file permissions, blocking access to critical system processes like cmd.exe.
  • Blocks manual System Image Recovery with bcdedit.exe, limiting the system administrator’s options.
  • It uses taskkill.exe to terminate security processes and evade security solutions.
  • By removing the registry key, it tries to defeat Raccine anti-ransomware.
Process tree of the attack (Source – Unit 42)

Ransom Note

In every directory on the drive of the victim, the ransomware drops a ransom note explaining the infection and offering contact details.

Ransom Note (Source – Unit 42)

Although Mallox is a small and closed group, the group seeks growth by recruiting affiliates to expand its illicit operations. With successful affiliate recruitment, Mallox could broaden its scope and target additional organizations.

Unit 42 advises proper configuration and patching for internet-facing applications and systems to minimize the attack surface, limiting attackers’ options.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.