Threat Group Assessment: Mallox Ransomware

Threat Group Assessment: Mallox Ransomware

Executive Summary

Mallox (aka TargetCompany, Fargo and Tohnichi) is a ransomware strain that targets Microsoft (MS) Windows systems. It has been active since June 2021, and is notable for exploiting unsecure MS-SQL servers as a penetration vector to compromise victims’ networks.

Recently, Unit 42 researchers have observed an uptick of Mallox ransomware activities – with an increase of almost 174% compared to the previous year – exploiting MS-SQL servers to distribute the ransomware. Unit 42 incident responders have observed Mallox ransomware using brute forcing, data exfiltration and tools such as network scanners. In addition, we have found indications that the group is working on expanding their operations and recruiting affiliates on hacking forums.

Palo Alto Networks customers receive protections from Mallox ransomware and the techniques discussed in this blog through Cortex XDR, which provides a multilayer defense that includes behavioral threat protection and exploit protection.

The Advanced WildFire cloud-delivered malware analysis service accurately identifies samples related to Mallox as malicious.

Cloud-Delivered Security Services including Advanced URL Filtering and DNS Security identify domains associated with this group as malicious.

If you believe you have been compromised, the Unit 42 Incident Response team can provide a personalized response.

Overview of Mallox Ransomware

Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization’s files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee.