Mallox Ransomware Attacking Linux Servers In Wild – Decryptor Uncovered

Linux servers often provide hosting for critical applications, websites, and databases, which makes them a lucrative target for intruders to get unauthorized access to steal data and manipulate services.

Exploiting security holes in Linux servers can enable attackers to take control over large-scale infrastructures. Due to its popularity and wide usage in enterprise environments, Linux is very appealing to malicious actors.


Cybersecurity researchers at Uptycs recently discovered that Mallox ransomware has been actively attacking Linux servers in the wild.

Mallox Ransomware Attacking Linux Servers

The Mallox ransomware has been around since 2021, and now, it has moved to Linux systems using custom Python scripts.

The discovery of a new Flask-based web panel makes it easy for its users to develop and maintain Linux ransomware builds.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

When you register on this page, this site’s host will facilitate your authentication and malware development.

This indicates that the creators of Mallox may have changed their tactics and can now offer RaaS services in different regions.

Mallox ransomware diamond model (Source – Uptycs)

The Mallox ransomware encryptor uses base64 encoding and AES-256-CBC encryption for its configuration. The decrypted config reveals the following things:-

  • Ransom details
  • Target information
  • Encryption parameters 

The ransomware employs the same AES-256-CBC method to encrypt victim files, appending a .lmallox extension and dropping a ransom note named “READ_THIS_NOW.txt.”

Mallox ransom note (Source – Uptycs)

Mallox ransomware provides decryptors for each encryptor built on their server. Uptycs has collected seven such decryptors corresponding to specific build IDs. 

Hunting Mallox ransomware Infrastructure (Source – Uptycs)

The researchers also offered detection capabilities using YARA rules to identify Mallox campaign activity. Researchers can hunt for Mallox servers using specific queries on FOFA or Censys search engines.

Yara Detection

Yara detection (Source – Uptycs)

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.