The Mallox ransomware group is targeting VMware ESXi environments with a new Linux variant that specifically aims to deploy its payload on machines with high-level user privileges, as discovered by researchers at Trend Micro. Mallox, also known as Fargo and Tohnichi, have been active since June 2021 and have infected hundreds of organizations worldwide, primarily in the manufacturing, retail, wholesale, legal, and professional services industries.
The new Linux variant uses a custom shell script to spread and execute ransomware in virtualized environments, likely to cause more disruption and increase ransom payment chances. This variant is operated by a Mallox affiliate known as “Vampire,” indicating involvement in broader campaigns with high ransom demands and comprehensive attacks on IT systems.
In addition to executing the ransomware, the custom shell exfiltrates victim information to two different servers for data backup purposes. Mallox is known to use a leak site to disclose stolen data from their ransomware attacks. The variant first checks for administrative rights to the executable and interrupts its activity if not found. It will then leave a text file containing victim information, send it to a command-and-control server, and append the “.locked” extension to encrypted files.
The IP address used for data exfiltration and payload execution has never been used by Mallox before, being hosted by a Chinese ISP, possibly leased for a short-term malicious payload hosting. The binary checks if the system is in a VMware ESXi environment to deploy its encryption routine and leave a ransom note with instructions.
Organizations running Linux environments on VMware ESXi are advised to implement cybersecurity measures like enabling multi-factor authentication, following the “3-2-1 rule” for backing up important files, and regularly patching and updating systems to prevent ransomware attacks. Mallox’s evolving tactics in targeting Linux environments emphasize the importance of heightened vigilance and proactive cybersecurity measures to protect against cyber threats.
Article Source
https://www.darkreading.com/cloud-security/mallox-ransomware-variant-targets-privileged-VMware-esxi-environment