Mallox Ransomware: In-Depth Analysis, Detection, and Mitigation

What Is Mallox Ransomware?

Mallox ransomware has been active since mid-2021 with a surge in activity between September and December 2022. Also known as “TargetCompany” or “Fargo” ransomware, this wave of activity has continued into 2023 as well. The group focuses on multi-extortion, encrypting their victims’ data and threatening to post it on their public TOR-based sites. Mallox maintains their TOR-based victim blog as of June 2023.

What Does Mallox Ransomware Target?

Mallox targets large enterprises and does not discriminate against potential victims based on geography, industry type, or other factors.

How Does Mallox Ransomware Work?

Mallox payloads are usually .NET-based, .EXE, or .DLL files that can be spread through various methods, including exposed MS-SQL servers and phishing or spam emails. It uses a combination of AES-128 and ChaCha20 for encryption and terminates a list of processes and services without attempting to hide its malicious activity.

The malware can be spread via multiple methods. Many Mallox campaigns, especially in their early ones, target exposed MS-SQL servers through dictionary or brute-force style attacks. Additional campaigns have utilized phishing or spam emails with links to malicious payloads contained within. Most variations of Mallox utilize a combination of AES-128 and ChaCha20 to achieve file encryption efficiently.

When launched, Mallox attempts to discover and terminate a large list of hard-coded processes and services by name. This is all done with no attempt at hiding the malicious activity, making it all viewable to the victim devices’ user. Mallox payloads contain hard-coded lists of processes and paths to excluded from the encryption process.

How to Detect Mallox Ransomware

The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Mallox Ransomware.

In case you do not have SentinelOne deployed, detecting Mallox ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

To detect Mallox ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:

  1. Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
  2. Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
  3. Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
  4. Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
  5. Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

How to Mitigate Mallox Ransomware

The SentinelOne Singularity XDR Platform can return systems to their original state using either the Repair or Rollback feature.

In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of Mallox ransomware attacks:

Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.

Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.

Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.

Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.

Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.