Description
The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for payload delivery and data exfiltration. The analysis reveals a Flask-based web panel for creating Linux ransomware builds, with capabilities like user authentication, build management, and admin functions. The encryptor uses AES-256-CBC encryption with a specific key and IV, appends the .lmallox extension to encrypted files, and drops a ransom note. The report also includes decryptors for various build IDs and covers Uptycs XDR detection capabilities and indicators of compromise.
Date
| Published | Created | Modified |
|---|---|---|
| July 4, 2024, 10:36 a.m. | July 4, 2024, 10:36 a.m. | July 4, 2024, 10:53 a.m. |
Indicators
http://185.73.125.6/output/
http://185.73.125.6/output
Attack Patterns
Mallox
Mallox
T1484
T1588
T1490
T1137
T1567
T1497
T1505
T1491
T1489
T1486
T1083
T1071
T1134
T1498
T1499
T1485
T1566
T1078
T1059