Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Mallox Ransomware: Linux Variant Decryptor Found

July 4, 2024, 10:53 a.m.

Description

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for payload delivery and data exfiltration. The analysis reveals a Flask-based web panel for creating Linux ransomware builds, with capabilities like user authentication, build management, and admin functions. The encryptor uses AES-256-CBC encryption with a specific key and IV, appends the .lmallox extension to encrypted files, and drops a ransom note. The report also includes decryptors for various build IDs and covers Uptycs XDR detection capabilities and indicators of compromise.

Date

Published: July 4, 2024, 10:36 a.m.

Created: July 4, 2024, 10:36 a.m.

Modified: July 4, 2024, 10:53 a.m.

Indicators

185.73.125.6

91.215.85.135

91.215.85.142

http://185.73.125.6/output/

http://185.73.125.6/output

Attack Patterns

Mallox

Mallox

T1484

T1588

T1490

T1137

T1567

T1497

T1505

T1491

T1489

T1486

T1083

T1071

T1134

T1498

T1499

T1485

T1566

T1078

T1059