Americas

  • United States

Asia

Europe

Oceania

Popular Topics

Topics

About

Policies

Our Network

More

HomeCybercrimeRansomware gang increases attacks on insecure MSSQL servers
lconstantin
by Lucian Constantin
CSO Senior Writer

Ransomware gang increases attacks on insecure MSSQL servers

News Analysis
Jul 26, 20233 mins
CyberattacksCybercrimeRansomware

New research shows a dramatic rise in double-extortion ransomware attacks by the Mallox group

man reacting to ransomware attack
Credit: Andrey_Popov / Shutterstock

Researchers warn about a spike in attacks against poorly secured Microsoft SQL (MSSQL) Servers by a dual-ransomware gang known as Mallox. Security firm Palo Alto Networks reports a 174% increase in the number of Mallox attacks this year compared to the last half of 2022.

“The Mallox ransomware group claims hundreds of victims,” the Palo Alto researchers said in a report. “While the actual number of victims remains unknown, our telemetry indicates dozens of potential victims worldwide, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.”

MSSQL as a point of entry for ransomware attacks

The Mallox gang typically breaks into networks by compromising publicly exposed MSSQL servers that have weak credentials. The group’s favorite method is using dictionary-based brute-force attacks that use a list of known or commonly used passwords. Once inside, the attackers execute a command line and PowerShell script that pull down additional scripts and eventually the Mallox payload from a remote server and execute them on the system. Some of these files include updt.ps1, system.bat, and tzt.exe.

The system.bat script which gets renamed to tzt.bat creates a username SystemHelp and enables Remote Desktop Protocol (RDP) access for it. This gives attackers an alternative method of connecting to the machine.

The tzt.exe file, which is the Mallox payload, is executed using Windows Management Instrumentation (WMI), and it attempts to disable and remove the legitimate sc.exe and net.exe processes. It then tries to delete Volume Shadow copies to prevent data recovery and uses Microsoft's wevtutil command-line utility to clear application, security, and system event logs to prevent forensic analysis. Additional routines involve terminating processes and services associated with security products to evade detection, bypassing the Raccine anti-ransomware program and preventing system administrators from loading the System Image Recovery feature via bcdedit.exe.

The Mallox sample analyzed by Palo Alto Networks encrypted files using the ChaCha20 algorithm and appended the .malox extension to the encrypted files. However, the attackers used other file extensions in the past including .FARGO3, .exploit, .avast, .bitenc, .xollam, as well as the victims' names.

Mallox ransomware gang plans to expand

The Mallox group has been around since at least June 2021 and like most modern ransomware gangs engages in double extortion. In addition to encrypting files, the attackers also exfiltrate data and threaten to leak it on a public site if victims don’t pay the ransom.

In January 2023, one of the alleged Mallox members gave an interview and described the group as relatively small but looking to expand. Palo Alto researchers have seen advertisements on two underground forums that the Mallox group set up a ransomware-as-a-service (RaaS) program and was looking for affiliates.

“The Mallox ransomware group has been more active in the past few months, and their recent recruiting efforts may enable them to attack more organizations if the recruitment drive is successful,” the researchers warned. “Organizations should implement security best practices and be prepared to defend against the ongoing threat of ransomware.”

Last month, security firm Trustwave reported that, based on data collected from its honeypots, MSSQL was by far the biggest target for attacks out of all database servers. MSSQL brute-force attacks dwarfed those against other databases accounting for over 93% of attacks with some peaking at 3 million login attempts.

lconstantin
by Lucian Constantin
CSO Senior Writer

Lucian Constantin writes about information security, privacy, and data protection for CSO.

More from this author

Most popular authors

Show me more

news analysis

Ransomware gang increases attacks on insecure MSSQL servers

By Lucian Constantin
Jul 26, 20233 mins
RansomwareCyberattacksCybercrime
Image
news

SeeMetrics launches Security Performance Boards to help CISOs measure cybersecurity effectiveness

By Michael Hill
Jul 26, 20234 mins
CSO and CISOSecurity Monitoring Software
Image
news

Dig Security launches capabilities to protect data fed into LLMs

By Shweta Sharma
Jul 26, 20233 mins
Generative AIData and Information SecuritySecurity Software
Image
podcast

CSO Executive Sessions Australia with Simona Dimovski, CISO at Helia

Jul 17, 202315 mins
CSO and CISO
Image
podcast

CSO Executive Sessions Australia with Chris Mace, CISO for the New South Wales Public Service Commission

Jul 10, 20239 mins
CSO and CISO
Image
podcast

CSO Executive Sessions / ASEAN: Hieu Minh Ngo on top cybersecurity vulnerabilities to watch out for

Jul 10, 202316 mins
CyberattacksCybercrime
Image
video

CSO Executive Sessions Australia with Simona Dimovski, CISO at Helia

Jul 17, 202315 mins
CSO and CISO
Image
video

CSO Executive Sessions Australia with Chris Mace, CISO for the New South Wales Public Service Commission

Jul 10, 20239 mins
CSO and CISO
Image
video

CSO Executive Sessions with Daniela Fernandez, Head of Information Security for PayPal Australia

Jul 07, 202315 mins
CSO and CISO
Image