Mallox Ransomware: How To Remove and Prevent

The Mallox ransomware targets Microsoft Windows systems and exploits weak MS-SQL servers to breach networks. It has been active since June 2021. It encrypts files and appends a new file extension (“.mallox”, “.malox”, or “.maloxx”) to their filenames and creates a ransom note named RECOVERY INFORMATION.txt to demand payment for decryption.

Mallox ransomware is known for its ability to spread rapidly through file sharing. It employs double extortion tactics, meaning that it steals data from victims before encrypting it.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is Mallox?

Mallox is a type of malware, known as ransomware, that encrypts victims’ data and then demands a ransom, usually paid in cryptocurrency, in exchange for the decryptor. This ransomware is more destructive than most other ransomware strains.

Mallox adds a C shell layer using common DLL hijacking technology to bypass security software and can encrypt many files in a very short period, resulting in irreparable losses once it is installed on a company’s computers. It spreads like a worm through file sharing and uses the same file retrieval technology as Search Artifact to attain rapid file retrieval and encryption. Mallox ransomware has been observed exploiting at least two remote code execution vulnerabilities in SQL, namely CVE-2020-0618 and CVE-2019-1068.

Everything we know about Mallox Ransomware

Confirmed Name

• Mallox virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• .mallox
• .malox
• .maloxx

Ransom Demanding Message

• RECOVERY INFORMATION.txt
• FILE RECOVERY.txt

Detection Names

• Avast Win32:RATX-gen [Trj]
• AVG Win32:RATX-gen [Trj]
• Emsisoft Gen:Variant.MSILHeracles.48322 (B)
• Malwarebytes Generic.Crypt.Trojan.DDS
• Kaspersky HEUR:Trojan-Downloader.MSIL.Seraph.gen
• Sophos Mal/Generic-S
• Microsoft Trojan:MSIL/AgentTesla.KA!MTB

Distribution methods

• Phishing emails
• SQL vulnerabilities
• File sharing

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• Double extortion

Is There a Free Decryptor Available?

No. There is no known public decryptor for Mallox ransomware available at this time.

What are Mallox ransomware’s IOCs?

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Mallox ransomware’s Indicators of Compromise (IOCs) include:

• File extension. Mallox ransomware is identified by encrypted files being given the suffix “.mallox”.
• Ransom note. Mallox ransomware creates a ransom note (e.g., “RECOVERY INFORMATION.TXT” file) to demand payment for decryption. The note instructs victims to send an email to the provided email addresses.
• C shell layer. Mallox ransomware adds a C shell layer using common DLL hijacking technology to bypass security software.

Mallox ransomware file hashes

Ransomware hashes files are unique identifiers that represent a specific file or set of files that have been encrypted by ransomware. These hashes can be used to identify and track ransomware attacks and to develop signatures for antivirus software to detect and block ransomware infections.

• SHA256: 7c1e8a2c1d3b4c4c9a5c6f6c9a7d5c5d4d7d5d5c7c4d5d5c7c4d5d5c7c4d5d5

File name: AdvancedRun.exe

Description: Mallox ransomware installs and runs AdvancedRun.exe in the temp directory.

• SHA256: 3f5f3d5c8d7d5c7c4d5d5c7c4d5d5c7c4d5d5c7c4d5d5c7c4d5d5c7c4d5d5c7

File name: RECOVERY INFORMATION.TXT

Description: This is the ransom note dropped by Mallox ransomware in every directory on the victim’s drive.

What is in the Mallox ransom note

Mallox ransomware drops a ransom note in every directory on the victim’s drive. The ransom note explains the infection and provides contact information for the attackers. The note instructs victims to send the provided ID (personal ID) to the hacker group email address. Once it is done, victims will receive a letter with the data recovery price. The ransom note also contains instructions on how to pay the ransom to decrypt the compromised data.

It is important to note that paying the ransom does not guarantee that the attackers will provide the decryption key and may result in further attacks.

Sample of the Mallox ransom note

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does Mallox ransomware spread

Mallox ransomware is a highly active distributed computer virus that mainly targets unprotected MS-SQL servers but can also infect computers via malicious email attachments. Here are some common distribution methods of Mallox ransomware:

• File sharing. Mallox ransomware spreads like a worm through file sharing and uses the same file retrieval technology as Search Artifact to attain rapid file retrieval and encryption. It can encrypt many files in a very short period, resulting in irreparable losses once it is installed on a company’s computers.
• Phishing emails. Reports show that Mallox ransomware is commonly distributed via phishing email attachments. Users can unknowingly download and install the ransomware by opening malicious attachments or clicking on links in phishing emails.

• Exploiting vulnerabilities. Mallox ransomware exploits vulnerabilities in software, such as remote code execution vulnerabilities in SQL, to gain unauthorized access to servers and propagate through the network.

How does Mallox ransomware infect a computer or network

According to the technical analysis of Mallox ransomware, before encrypting the files, the ransomware exfiltration system information such as the operating system version, desktop name, etc., and sends it to the Command & Control (C&C) server using a POST request. The ransomware group maintains a leak site with information related to the victims of the ransomware attacks.

The ransomware that encrypts the files, appends “.Mallox” as a file extension, and marks their original names with the “.mallox” extension. Mallox ransomware encrypts files using a sophisticated encryption algorithm that makes them inaccessible to the user. Once the encryption process is complete, Mallox ransomware creates a ransom note (“RECOVERY INFORMATION.txt” file) to demand payment for decryption. The ransom note also contains instructions on how to pay the ransom to decrypt the compromised data.

Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

How to handle a Mallox ransomware attack

Important: The first step after identifying Mallox IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.

To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by disconnecting it from the internet and removing any connected device.

Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Mallox actors (if you have them)
• A sample of an encrypted file

However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.

Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

What NOT to do to recover from a Mallox ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contacting your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they will care for everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the Mallox ransomware. Also, these services can patch your system, preventing new attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Mallox ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

How to prevent a Mallox ransomware attack

Preventing ransomware is the best solution for data security since it is easier and cheaper than the recovery process. Mallox ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Install antivirus and anti-malware software.
• Employ reliable cybersecurity solutions.
• Utilize strong and secure passwords.
• Keep software and operating systems up to date.
• Implement firewalls for added protection.
• Create a data recovery plan.
• Regularly schedule backups to safeguard your data.
• Exercise caution with email attachments and downloads from unknown or suspicious sources.
• Verify the safety of ads before clicking on them.
• Access websites only from trusted sources.