September 23, 2024 at 02:32PM
A Mallox affiliate was found using a modified version of Kryptina ransomware to target Linux systems, signifying the ransomware’s shift from Windows to Linux and VMWare ESXi systems. Kryptina’s leaked source code was utilized to create the rebranded “Mallox Linux 1.0” encryptor. Various other tools, including a Kaspersky password reset tool and exploit for Windows, were also discovered.
Based on the meeting notes provided, the key takeaways are as follows:
– An affiliate of the Mallox ransomware operation, also known as TargetCompany, has been identified using a modified version of the Kryptina ransomware to target Linux systems.
– This development signifies a significant shift in tactics for the ransomware ecosystem, indicating that Mallox, previously known as a Windows-only malware, is now targeting Linux and VMWare ESXi systems.
– The Kryptina ransomware, initially launched as a low-cost ransomware-as-a-service (RaaS) platform for Linux systems, failed to gain traction and its source code was leaked by its administrator in February 2024.
– Following an operational error by a Mallox affiliate which led to the exposure of their tools, it was discovered that Kryptina’s source code was used to build the rebranded Mallox Linux 1.0 encryptor.
– Mallox Linux 1.0 utilizes Kryptina’s core source code, encryption mechanism, decryption routines, command-line builder, and configuration parameters with minor modifications to appearance, name, and documentation.
– SentinelLabs also found various other tools on the threat actor’s server, including legitimate tools, an exploit for a privilege escalation flaw on Windows 10 and 11, privilege escalation scripts, Java-based payload droppers, disk image files containing Mallox payloads, and data folders for potential victims.
– At present, it remains unclear whether the Mallox Linux 1.0 variant is being used by a single affiliate, multiple affiliates, or all Mallox ransomware operators alongside the previously discussed Linux variant.
These takeaways reflect the significant developments and activities within the Mallox ransomware operation and provide a comprehensive understanding of the situation.