According to experts, hackers have modified the infamous Mallox ransomware to also attack Linux systems.
The new version is called Mallox Linux 1.0 and was recently discovered by cybersecurity researchers SentinelLabs, after Mallox’s maintainers accidentally leaked their tools.
The analysis of the tool led the researchers to conclude that Mallox Linux 1.0 is actually a rebrand of the Kryptina encryptor. Kryptina was built last year by a threat actor alias “Corlys”, who tried to rent the tool for around $800. However, since the cybercriminal community did not show much interest in the tool, Corlys shared it for free, hoping that someone would pick it up.
Target company
Now it seems that Mallox has done just that, as the new variant uses the source code of Kryptina, the same encryption mechanism (AES-256-CBC), and the same decryption routines. Furthermore, it uses the same command-line builder and configuration parameters. Therefore, Mallox developers only changed the name and appearance of the encryptor and removed all mentions of Kryptina from the documentation. Everything else remained unchanged.
There is no word yet about possible victims, but in their analysis, researchers conclude Kaspersky said Mallox affiliates “do not limit their activities to a specific country.” Instead, they attack vulnerable companies wherever they are. However, the majority of companies affected by a Mallox variant are located in Brazil, Vietnam, or China.
The ransomware is also known as Fargo or TargetCompany and has been active in one form or another since June 2021. Initially, it mainly targeted unsecured MS-SQL servers, Sekoia found. Another feature of Mallox is threatening victims, especially those in the European Union, about possible GDPR violations.
Between October 2022 and March 2023, the subsidiaries stole data from at least 20 organizations.
Via BleepingComputer