Hackers have modified the infamous Mallox ransomware to also target Linux systems, experts say.
The new version is called Mallox Linux 1.0, and was recently discovered by cybersecurity researchers SentinelLabs after Mallox operators accidentally leaked their tools.
Analysis of the tool led researchers to conclude that Mallox Linux 1.0 is actually a rebrand of the Kryptina cryptor. Kryptina was developed last year by a threat actor alias “Corlys,” who attempted to rent the tool for approximately $800. However, since the cybercriminal community did not show much interest in the tool, Corlys shared it for free, hoping that someone might use it.
Target company
Now, it seems that Mallox did just that, as the new variant uses the Kryptina source code, the same encryption mechanism (AES-256-CBC), and the same decryption routines. Moreover, it also uses the same command-line generator and configuration parameters. Therefore, Mallox developers only changed the name and appearance of the encryptor and removed any mention of Kryptina from the documents. Everything else remains unchanged.
There is no information on potential victims yet, but in their analysis, Kaspersky researchers claim that Mallox subsidiaries “do not restrict their activities to a specific country.” Instead, they attack vulnerable companies wherever they are. However, most companies affected by a Mallox variant are located in Brazil, Vietnam or China.
The ransomware is also known as Fargo or TargetCompany and has been active in one form or another since June 2021. At first, it primarily targeted unsecured MS-SQL servers, as Sekoia discovered. Another distinctive feature of Mallox is threatening victims, especially those located in the European Union, about potential GDPR violations.
Between October 2022 and March 2023, its subsidiaries stole data from at least 20 organizations.
Through Computer beeping
