Mallox Ransomware: Nightmare for MS-SQL Servers

Mallox Ransomware: Nightmare for MS-SQL Servers

In today’s fast-evolving landscape of cyber threats, a new player has emerged with a significant surge in activity. The Mallox ransomware group, also known as TargetCompany, FARGO, and Tohnichi, has been actively targeting and attacking Microsoft SQL (MS-SQL) servers since 2021. The group’s activities have seen a staggering 174% increase in 2023 compared to the previous year, according to Palo Alto Networks.

The Mallox Modus Operandi & How it Works

Mallox ransomware primarily targets MS-SQL servers that are not adequately secured, attempting to penetrate and breach the networks of its victims. The group employs a consistent strategy for initial access, targeting unsecured MS-SQL servers via dictionary brute force, followed by command line and PowerShell to download the ransomware payload.

Once the ransomware gains a foothold on the infected host, it makes several attempts to prepare the system for encryption. These include attempts to stop and remove SQL-related services, delete volume shadows to restrict file restoration after encryption, erase logs using Microsoft’s wevtutil command line to evade detection and forensic analysis, alter file permissions to block access to critical system processes, and terminate security processes to evade security solutions.

The group adopts double extortion tactics by encrypting files and stealing data to pressure victims into paying the ransom. With redacted names and logos, the group exhibits leaked data, providing victims with private keys for negotiations and payments.

Read also: Swedish-Swiss Tech Giant ‘ABB’ Hit by ‘Black Basta’ Ransomware

The Impact of Mallox Attacks

The group behind Mallox ransomware boasts hundreds of victims worldwide spanning across various industries including manufacturing, pharma, professional services, legal services, wholesale, and retail. The surge in Mallox activities throughout 2023 is alarming, with a 174% rise in attacks compared to late 2022.

Despite being a relatively small and closed group, Mallox seeks growth by recruiting affiliates to expand its illicit operations. With successful affiliate recruitment, Mallox could broaden its scope and target additional organizations. The sudden surge in Mallox infections is symptomatic of a broader trend where ransomware attacks have witnessed a 221% jump year-over-year as of June 2023.

Read also: Asia’s Leading Pharma Giant Suffers Ransomware Attack

Preventive Measures against Mallox Attacks

To minimize the attack surface and limit the options for attackers, Futurism advises proper configuration and patching for internet-facing applications and systems. It’s also crucial to have endpoint security controls in place for performing in-memory inspection to detect process-injection attempts, lateral movement efforts, and attempts to evade security controls.

• Organizations should also ensure that all Internet-facing applications are configured properly, and all systems are patched and up-to-date wherever possible. Regularly updating and changing passwords, especially for MS-SQL servers, can help prevent brute force attacks. In addition, implementing multi-factor authentication or deploying a robust identity and access management solution can add an extra layer of security.

• IT and security experts should regularly back up their data and ensure that backups are not connected to the computers and networks they are backing up. This can help organizations recover encrypted data without having to pay a ransom.

• Employee training. Regularly train employees about the dangers of phishing emails and other common ransomware entry points. They should be educated about the importance of not clicking on links or downloading attachments from unknown sources. Having a powerful email security solution in place is advisable to keep such threats at bay.

• Use antivirus software. Ensure that all systems have the latest antivirus software installed. This software should be set to automatically update to protect against the latest threats.

• Network segmentation. Segment your network to prevent infections from spreading. By doing this, if a system is compromised, the damage can be contained to that segment of the network.

• Conduct regular security audits to identify and address vulnerabilities. This can include conducting vulnerability assessment and penetration testing on a regular basis.

• Have a well-defined incident response plan in place. This plan should outline the steps to be taken in the event of a ransomware attack, including how to isolate infected systems and who to contact.

See how Futurism XDR services can help

• AI-powered security. Deploy advanced threat protection for-to-the-minute protection from advanced and sophisticated threats including new strands of Ransomware.

• Implement the principle of least privilege. Users should only have access to the resources they need for their work. This can limit the spread of ransomware if a user’s account is compromised.

• Keep all software and operating systems up to date. Many ransomware attacks exploit known vulnerabilities in software, so keeping your systems updated can help prevent these attacks.

Read also: Over 200k WordPress Websites Vulnerable to Cyberattacks

• Use firewalls to block all incoming access to your network except for the ports and services that are needed. This can help to prevent unauthorized access.

• Implement an intrusion detection system to identify any unusual activity or anomalies that could indicate a ransomware attack.

Takeaway

By implementing these preventive measures, organizations can further strengthen their defenses against the rising threat of Mallox ransomware and other similar cyber threats. The rise of the Mallox ransomware group underscores the importance of robust cybersecurity measures and practices. As the group continues to expand its operations and refine its tactics, organizations must remain vigilant and proactive in their cybersecurity efforts to protect their networks and data.

Disclaimer: All the data and stats presented in this article are solely those of the original authors and their source websites. They do not reflect or represent the objectives, philosophies, or perspectives of Futurism Technologies.