Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Avast Releases Free Decryptor for Mallox Ransomware

Avast has released a decryptor for the Mallox ransomware after identifying a weakness in its cryptographic schema.

ransomware takedown

Anti-malware vendor Avast on Tuesday published a free decryption tool to help victims to recover from the Mallox ransomware attacks.

First observed in 2021 and also known as Fargo, TargetCompany, and Tohnichi, Mallox has been operating under the ransomware-as-a-service (RaaS) business model and is known for targeting Microsoft SQL servers for initial compromise.

In the past, Mallox’ developers have focused on improving the ransomware’s cryptographic schema but Avast researchers say a weakness in the schema has paved the way for the creation of a decryptor to help restore data caught up in data extortion attacks.

Avast said the decryption tool targets files encrypted in 2023 or early 2024, and which have the extensions .bitenc, .ma1x0, .mallab, .malox, .mallox, .malloxx, and .xollam.

“Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant. The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware,” Avast said.

The company released detailed instructions on how the decryptor should be used, advising the ransomware’s victims to execute the tool on the same machine where the files were encrypted.

The threat actors behind Mallox are known to launch opportunistic attacks, targeting organizations in a variety of sectors, including government, IT, legal services, manufacturing, professional services, retail, and transportation.

Like other RaaS groups, Mallox’s operators have been engaging in double extortion, exfiltrating victims’ data and threatening to leak it on a Tor-based website unless a ransom is paid.

Advertisement. Scroll to continue reading.

While Mallox mainly focuses on Windows systems, variants targeting Linux machines and VMWare ESXi systems have been observed as well. In all cases, the preferred intrusion method has been the exploitation of unpatched flaws and the brute-forcing of weak passwords.

Following initial compromise, the attackers would deploy various droppers, and batch and PowerShell scripts to escalate their privileges and download additional tools, including the file-encrypting ransomware.

The ransomware uses the ChaCha20 encryption algorithm to encrypt victims’ files and appends the ‘.rmallox’ extension to them. It then drops a ransom note in each folder containing encrypted files.

Mallox terminates key processes associated with SQL database operations and encrypts files associated with data storage and backups, causing severe disruptions.

It elevates privileges to take ownership of files and processes, locks system files, terminates security products, disables automatic repair protections by modifying boot configuration settings, and deletes shadow copies to prevent data recovery.

Related: Free Decryptor Released for Black Basta Ransomware

Related: Free Decryptor Available for ‘Key Group’ Ransomware

Related: NotLockBit Ransomware Can Target macOS Devices

Related: Joplin: City Computer Shutdown Was Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.