Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks

Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks

Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal.

“Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization’s files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee,” security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News.

A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via dictionary attacks as a penetration vector to compromise victims’ networks. Xollam is a deviation from the norm in that it has been observed using malicious OneNote file attachments for initial access, as detailed by Trend Micro last month.

Mallox Ransomware

The binary, for its part, attempts to stop and remove SQL-related services, delete volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine, an open-source tool designed to counter ransomware attacks, prior to commencing its encryption process, after which a ransom note is dropped in every directory.

TargetCompany remains a small, closed group, but it has also been observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercrime forum.

The development comes as ransomware continues to be a lucrative financial scheme, netting cybercriminals no less than $449.1 million in the first half of 2023 alone, per Chainalysis.

The sudden surge in Mallox infections is also symptomatic of a broader trend where ransomware attacks have witnessed a 221% jump year-over-year as of June 2023, with 434 attacks reported in June 2023 alone, largely driven by Cl0p’s exploitation of the MOVEit file transfer software vulnerability.