Specialists at Uptycs have recently discovered a new variant of the Mallox ransomware program specifically designed for Linux systems. The malicious program encrypts victims’ data, rendering it inaccessible until a ransom is paid. The discovery of this new version highlights the evolving threat landscape faced by Linux users.
The attacks involving Mallox are executed using a Python user script to deliver malware to the targeted system. The script is web-based and built on the FLASK framework, utilizing system variables for connectivity to an internal database. This method inadvertently provides valuable insights into the infrastructure used by the attackers.
Mallox, also known as Fargo, Targetcompany, and Mawahelper, poses a significant risk due to its web panel that allows cybercriminals to customize ransomware options, manage their deployment, and even download the malicious software itself. This level of control gives attackers a powerful tool to extort victims.
The updated version of Mallox encrypts victims’ data and appends the file extension “.locked” to the encrypted files. Previous versions used extensions such as .net, .exe, or .dll and were distributed through various means including MS-SQL servers, phishing emails, and spam. The malware’s functionalities include user authentication, assembly management, user registration, password manipulation, and creating new extortion options.
The administrator panel of Mallox enables the management of user profiles, viewing of logs, account management, and features a chat interface and a custom 404 error page. The encryption process employed by Mallox utilizes the AES-256-CBC algorithm, known for its high level of security, making it extremely challenging for victims to decrypt files without the attackers’ decryption key.
Mallox operations have been active since mid-2021 and have evolved to adopt a Ransomware-AS-A-Service (RAAS) distribution model since mid-2022. The group behind Mallox employs multi-stage extortion tactics, encrypting victims’ data and threatening to leak it on public Tor sites to increase pressure for ransom payment.
Fortunately, Uptycs experts have identified a decryption tool for Mallox. However, given the ability of the ransomware creators to update their software to thwart decryption attempts, the effectiveness of the tool may only be temporary in nature.