Cybersecurity experts have revealed that the notorious Mallox ransomware has evolved and can now target Linux systems. Previously known for infecting Windows platforms, the malware has been upgraded in a move that could potentially widen its range of victims.
Researchers at SentinelLabs discovered that Mallox Linux 1.0 is the new name for this malicious tool. The finding was the result of an accidental leak of tools used by Mallox’s operators. This slip-up provided enough information for researchers to determine that this latest Linux variant is essentially a rebranded version of the Kryptina encryptor.
A repurposed encryptor
Kryptina was first developed last year by a cybercriminal using the alias “Corlys.” At the time, Corlys attempted to rent the tool for roughly US$800 but failed to gain any traction within the cybercrime community. With little interest in the tool, Corlys eventually made it accessible, hoping it might attract more attention.
It seems Mallox’s operators have taken that opportunity. By adopting Kryptina’s source code, they’ve reused its AES-256-CBC encryption mechanism and the same decryption routines. The command-line builder and configuration parameters also remain unchanged. The only real difference between the two is that Mallox’s developers have removed any references to Kryptina, rebranding it with a fresh look under the name Mallox Linux 1.0.
While the ransomware has a new face, the underlying danger remains the same. The encryption techniques make it difficult for victims to recover their files without paying the demanded ransom.
Global reach and potential victims
Although no specific victims of the Mallox Linux variant have been reported, researchers from Kaspersky have noted that Mallox operators do not limit their attacks to particular regions. They tend to exploit vulnerable companies wherever they can find them. However, most past attacks have primarily impacted Brazil, Vietnam, and China businesses.
Mallox, which also goes by Fargo and TargetCompany, has been active since June 2021. According to cybersecurity firm Sekoia, it primarily targeted unsecured MS-SQL servers. In some cases, the attackers even threatened victims with claims of potential violations of the European Union’s General Data Protection Regulation (GDPR), adding another layer of pressure to pay the ransom.
Between October 2022 and March 2023, it was reported that Mallox affiliates had successfully stolen data from at least 20 organisations. The malware’s evolution to target Linux systems suggests that Mallox’s operators are continuing to develop and adapt their strategies to maximise their profits.
Expanding Mallox’s capabilities could pose a significant threat as businesses increasingly rely on Linux-based systems. Companies worldwide, particularly those with vulnerabilities in their systems, may find themselves in the crosshairs of this dangerous ransomware.
