Mallox Ransomware Detection: Increasing Attacks Abusing MS-SQL Servers

Cyber defenders have observed a recent surge in cyber attacks spreading Mallox ransomware. For a period of two years, ransomware operators have been abusing MS-SQL servers as the initial access vector to spread the infection further.

Detect Mallox Ransomware

With the growing activity of the Mallox ransomware gang and their ambitions to expand the impact and scope of their attacks, cyber defenders require ultra-responsiveness to stay ahead of the related threats. Leveraging SOC Prime Platform for collective cyber defense, security teams can equip themselves with cutting-edge tooling to detect ransomware attacks faster and more efficiently, prioritize their detection and hunting procedures, and future-proof the cybersecurity posture. 

To access the entire list of Sigma rules for Mallox ransomware detection, click the Explore Detections button. Security engineers can gain insights into the cyber threat context, like ATT&CK and CTI links, and more useful metadata required for threat investigation.

Explore Detections

All the above-mentioned Sigma rules are mapped to the MITRE ATT&CK framework and are compatible with cloud-native and on-prem SIEM and other security solutions. Alternatively, security engineers can apply relevant Sigma rules for TargetCompany, FARGO, or Tohnichi detection, which are other monikers used to identify Mallox ransomware.

Mallox Ransomware Analysis

Unit 42 team has uncovered a rise in the Mallox ransomware distribution with the massive exploitation of MS-SQL servers, which has grown by over 150% as compared with 2022. In these campaigns, Mallox ransomware operators apply brute forcing, data exfiltration, and other adversary techniques. Adversaries tend to expand their offensive activity by looking for affiliates on the dark net luring them to join a RaaS affiliate program. 

Mallox ransomware distributors steal data from the targeted organizations and then force compromised users to pay a ransom by threatening them to leak the acquired data. They have been affecting dozens of organizations from across the world in multiple industry sectors. 

Since the Mallox ransomware operators emerged in the cyber threat arena in 2021, they have been steadily leveraging the same adversary method to infiltrate the network by exploiting MS-SQL servers. At the initial attack stage, adversaries perform brute forcing and then use command-line operations and PowerShell code to drop Mallox ransomware strains remotely. 

As viable measures aimed to reduce the attack surface, cyber defenders recommend considering the proper setup of internet-facing apps along with all required updates and patches.

Gain access to over 650 unique Sigma rules to detect ransomware attacks to boost your cyber resilience. Obtain 30+ rules for free or reach all detections with On Demand at https://tdm.socprime.com/journey/tdm/.