Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Avast Releases Free Decryptor for Mallox Ransomware

Avast has released a decryptor for the Mallox ransomware after identifying a weakness in its cryptographic schema.

ransomware takedown

Anti-malware vendor Avast on Tuesday published a free decryption tool to help victims to recover from the Mallox ransomware attacks.

First observed in 2021 and also known as Fargo, TargetCompany, and Tohnichi, Mallox has been operating under the ransomware-as-a-service (RaaS) business model and is known for targeting Microsoft SQL servers for initial compromise.

In the past, Mallox’ developers have focused on improving the ransomware’s cryptographic schema but Avast researchers say a weakness in the schema has paved the way for the creation of a decryptor to help restore data caught up in data extortion attacks.

Avast said the decryption tool targets files encrypted in 2023 or early 2024, and which have the extensions .bitenc, .ma1x0, .mallab, .malox, .mallox, .malloxx, and .xollam.

“Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant. The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware,” Avast said.

The company released detailed instructions on how the decryptor should be used, advising the ransomware’s victims to execute the tool on the same machine where the files were encrypted.

The threat actors behind Mallox are known to launch opportunistic attacks, targeting organizations in a variety of sectors, including government, IT, legal services, manufacturing, professional services, retail, and transportation.

Like other RaaS groups, Mallox’s operators have been engaging in double extortion, exfiltrating victims’ data and threatening to leak it on a Tor-based website unless a ransom is paid.

Advertisement. Scroll to continue reading.

While Mallox mainly focuses on Windows systems, variants targeting Linux machines and VMWare ESXi systems have been observed as well. In all cases, the preferred intrusion method has been the exploitation of unpatched flaws and the brute-forcing of weak passwords.

Following initial compromise, the attackers would deploy various droppers, and batch and PowerShell scripts to escalate their privileges and download additional tools, including the file-encrypting ransomware.

The ransomware uses the ChaCha20 encryption algorithm to encrypt victims’ files and appends the ‘.rmallox’ extension to them. It then drops a ransom note in each folder containing encrypted files.

Mallox terminates key processes associated with SQL database operations and encrypts files associated with data storage and backups, causing severe disruptions.

It elevates privileges to take ownership of files and processes, locks system files, terminates security products, disables automatic repair protections by modifying boot configuration settings, and deletes shadow copies to prevent data recovery.

Related: Free Decryptor Released for Black Basta Ransomware

Related: Free Decryptor Available for ‘Key Group’ Ransomware

Related: NotLockBit Ransomware Can Target macOS Devices

Related: Joplin: City Computer Shutdown Was Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.