FortiGuard Labs is aware of recent reports of an uptick of activity in the Mallox ransomware observed in the wild. Reportedly, the Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers. Mallox ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files.Why is this Significant?This is significant because recent reports highlight an increased uptick of Mallox ransomware activities. Ransomware infection causes disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc.What is Mallox Ransomware?Mallox is a ransomware strain that has been around since 2021 and is also known as Fargo. The ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files. Mallox leaves a ransom note titled “FILE RECOVERY.txt” that contains the ransom message, victim’s private key, and a TOR site address where victims can contact the attacker. The TOR site also works as a data leak site where information stolen from the victims will be released if ransom payment is not made. At the time of this writing, the leak site listed one company, however previous victims may have been removed.Ransom note left by Mallox ransomwareMallox ransomware threat actor reportedly distributes the ransomware via downloader malware attached to spam emails. The threat actor also targets unsecured internet-facing Microsoft SQL servers by attempting to log with a list of username and password combinations.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for known Mallox ransomware samples:W32/Filecoder.D181!tr.ransomW32/Filecoder.OJC!tr.ransomW32/Generic.AC.171!tMSIL/Agent.LXR!trMSIL/Agent.LYC!trMSIL/Agent.NLO!tr.dldrMSIL/Agent.NZA!tr.dldrMSIL/Agent.OBD!tr.dldrMSIL/Agent.OEY!tr.dldrMSIL/Agent.OFN!tr.dldrMSIL/Agent.OHG!tr.dldrMSIL/GenKryptik.FMRD!trMSIL/Kryptik.ADHC!trMSIL/Kryptik.AGYT!tr.ransomMSIL/Kryptik.AHJZ!trMSIL/Kryptik.DCC!trPossibleThreat
More Stories
ZDI-CAN-25373: Microsoft
A CVSS score 7.0 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus - Trend Micro Zero Day Initiative' was reported to...
DSA-5774-1 ruby-saml – security update
It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify...
USN-6968-2: PostgreSQL vulnerability
USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16 This update provides the corresponding updates for PostgreSQL-9.5 in Ubuntu 16.04 LTS....
USN-7015-2: Python vulnerabilities
USN-7015-1 fixed several vulnerabilities in Python. This update provides one of the corresponding updates for python2.7 for Ubuntu 16.04 LTS,...
USN-7027-1: Emacs vulnerabilities
It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands....
USN-7024-1: tgt vulnerability
It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1,...