A branch of the Mallox ransomware group, also known as TargetCompany, has been found using a modified version of the Kryptina ransomware to attack Linux systems.

Details

New Variant of Mallox Ransomware for Linux Based on Leaked Kryptina Code

A new variant linked to the Mallox ransomware group has been developed to target Linux systems. This variant is based on the leaked source code of the Kryptina ransomware.

Kryptina was launched as a low-cost ransomware-as-a-service (RaaS) platform ($500-800) targeting Linux systems in late 2023, but it did not gain traction in the cybercrime community.

This is an example of how cybercriminal groups use leaked source code to create new attack tools. The shift to targeting Linux indicates that Mallox is expanding its operations.

Origin of the New Variant:

In February 2024, the alleged administrator of Kryptina, using the alias "Corlys," leaked the source code of Kryptina for free on hacking forums. This likely attracted random ransomware actors interested in acquiring a working Linux variant.

- This illustrates how cybercriminal groups can quickly use available tools to develop new threats.

Features of the New Variant:

Named "Mallox Linux 1.0"
Uses most of the original Kryptina code
Only the interface is changed, and references to Kryptina are removed

The malware, renamed "Mallox Linux 1.0," uses the core code of Kryptina, including the AES-256-CBC encryption mechanism, decryption processes, configuration parameters, and command-line builder. Mallox only modifies the interface and name, removing references to Kryptina in ransom notes, scripts, and files, and streamlining existing documents, leaving everything else unchanged.

Ransom Note of Mallox Linux 1.0

Impact

Using the Kryptina source code allows Mallox to quickly develop an effective Linux variant. This could lead to a rapid increase in attacks targeting Linux systems.

Since this variant is based on the known Kryptina code, existing security solutions can be easily updated to detect it. However, organizations that have not updated their security systems may still be at risk.

Organizations need to quickly reassess their security strategies, paying special attention to protecting Linux systems and updating ransomware prevention measures.

IOCs

Hash SHA-256:

0427a9f68d2385f7d5ba9e9c8e5c7f1b6e829868ef0a8bc89b2f6dae2f2020c4

Files SHA1
0b9d2895d29f7d553e5613266c2319e10afdda78 0de92527430dc0794694787678294509964422e6 0e83d023b9f6c34ab029206f1f11b3457171a30a 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 0f632f8e59b8c8b99241d0fd5ff802f31a3650cd 1379a1b08f938f9a53082150d53efadb2ad37ae5 21bacf8daa45717e87a39842ec33ad61d9d79cfe 262497702d6b7f7d4af73a90cb7d0e930f9ec355 29936b1aa952a89905bf0f7b7053515fd72d8c5c 2b3fc20c4521848f33edcf55ed3d508811c42861 341552a8650d2bdad5f3ec12e333e3153172ee66 43377911601247920dc15e9b22eda4c57cb9e743 58552820ba2271e5c3a76b30bd3a07144232b9b3 5cf67c0a1fa06101232437bee5111fefcd8e2df4 88a039be03abc7305db724079e1a85810088f900 9050419cbecc88be7a06ea823e270db16f47c1ea 93ef3578f9c3db304a979b0d9d36234396ec6ac9 a1a8922702ffa8c74aba9782cca90c939dfb15bf b07c725edb65a879d392cd961b4cb6a876e40e2d b27d291596cc890d283e0d3a3e08907c47e3d1cc b768ba3e6e03a77004539ae999bb2ae7b1f12c62 c20e8d536804cf97584eec93d9a89c09541155bc c4d988135e960e88e7acfae79a45c20e100984b6 d46fbc4a57dce813574ee312001eaad0aa4e52de d618a9655985c33e69a4713ebe39d473a4d58cde dc3f98dded6c1f1e363db6752c512e01ac9433f3 ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93 ef2565c789316612d8103056cec25f77674d78d1 f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc

Network Comms
185[.]73.125[.]6

grovik71[.]theweb[.]place

whyers[.]io

https://whyers[[.]]io/QWEwqdsvsf/ap.php

http://80.66[[.]]75.44

http://80.66[[.]]76.251

http://87.251[[.\75.92

Tox ID
290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697

BTC Address 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3

Recommendations

FPT Threat Intelligence recommends that organizations and individuals take the following steps to prevent Ransomware Mallox:

Regularly update operating systems, applications, and security software on both Windows and Linux, prioritizing critical security patches.
Deploy next-generation firewalls (NGFW) and intrusion detection/prevention systems (IDS/IPS). Segment networks to limit malware spread in case of an intrusion.
Use VPNs for remote access and encrypt transmitted data.
Apply the Principle of Least Privilege.
Use multi-factor authentication (MFA) for all accounts, especially administrative ones.
Regularly back up data following the 3-2-1 rule (3 copies, 2 different media types, 1 offline copy). Verify backup integrity and practice data recovery regularly. Store backups offline or air-gapped to prevent encryption during an attack.
Implement a Security Information and Event Management (SIEM) system to monitor unusual activities. Develop and maintain an incident response team (CSIRT) to create and practice a ransomware incident response plan.

References

New Mallox ransomware Linux variant based on leaked Kryptina code <https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/\>

Ransomware Mallox: New Variant and Current Ransomware Threat Trends