Anti-malware vendor Avast on Tuesday published a free decryption tool to help victims to recover from the Mallox ransomware attacks.
First observed in 2021 and also known as Fargo, TargetCompany, and Tohnichi, Mallox has been operating under the ransomware-as-a-service (RaaS) business model and is known for targeting Microsoft SQL servers for initial compromise.
In the past, Mallox’ developers have focused on improving the ransomware’s cryptographic schema but Avast researchers say a weakness in the schema has paved the way for the creation of a decryptor to help restore data caught up in data extortion attacks.
Avast said the decryption tool targets files encrypted in 2023 or early 2024, and which have the extensions .bitenc, .ma1x0, .mallab, .malox, .mallox, .malloxx, and .xollam.
“Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant. The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware,” Avast said.
The company released detailed instructions on how the decryptor should be used, advising the ransomware’s victims to execute the tool on the same machine where the files were encrypted.
The threat actors behind Mallox are known to launch opportunistic attacks, targeting organizations in a variety of sectors, including government, IT, legal services, manufacturing, professional services, retail, and transportation.
Like other RaaS groups, Mallox’s operators have been engaging in double extortion, exfiltrating victims’ data and threatening to leak it on a Tor-based website unless a ransom is paid.
While Mallox mainly focuses on Windows systems, variants targeting Linux machines and VMWare ESXi systems have been observed as well. In all cases, the preferred intrusion method has been the exploitation of unpatched flaws and the brute-forcing of weak passwords.
Following initial compromise, the attackers would deploy various droppers, and batch and PowerShell scripts to escalate their privileges and download additional tools, including the file-encrypting ransomware.
The ransomware uses the ChaCha20 encryption algorithm to encrypt victims’ files and appends the ‘.rmallox’ extension to them. It then drops a ransom note in each folder containing encrypted files.
Mallox terminates key processes associated with SQL database operations and encrypts files associated with data storage and backups, causing severe disruptions.
It elevates privileges to take ownership of files and processes, locks system files, terminates security products, disables automatic repair protections by modifying boot configuration settings, and deletes shadow copies to prevent data recovery.
Related: Free Decryptor Released for Black Basta Ransomware
Related: Free Decryptor Available for ‘Key Group’ Ransomware
Related: NotLockBit Ransomware Can Target macOS Devices
Related: Joplin: City Computer Shutdown Was Ransomware Attack