Threat Advisory: Mallox Ransomware Strikes Unsecured MSSQL Servers

We have observed a sudden increase in Ransomware incidents since June 2023, involving the appending of the “.malox” file extension to encrypt files. This Ransomware has been identified as a variant of the Mallox (aka TargetCompany) Ransomware Family.

The Ransomware note, labelled “File Recovery.txt,” is dropped during the attack. This note provides an Onion link for communication with the attackers for decryption:

Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

Our research indicates that Mallox (aka TargetCompany) Ransomware targets unsecured Microsoft SQL Servers as an attack vector to infiltrate victims’ systems and distribute the ransomware. Furthermore, the attacker employs brute force techniques on publicly exposed MSSQL instances to gain initial access to the victim’s network.

We discovered suspicious command line activities primarily associated with ‘sqlservr.exe’ in the MSSQLServer environment. Based on these findings, we strongly advise educating our customers to follow best security practices to improve their protection against these potential threats.

Securing Microsoft SQL Server instances is crucial to prevent Mallox Ransomware attacks. Follow these recommended steps to enhance the security of your SQL Server environment:

1. Firewall Protection/Limiting Access: Utilize a firewall to restrict access to SQL servers. Allow incoming traffic only from trusted networks and IPs. Specifically, block incoming traffic on port 1433 except for authorized users.
2. Change Default Port: Avoid exposing SQL Servers on the default port (1433) over the Internet, as it’s a common target for hackers. Consider using a secure connection like a VPN for accessing SQL servers remotely.
3. Secure Account Management: Disable the ‘sa’ (system administrator) account or set a strong, unique password to minimize unauthorized access risks. The sa account holds high privileges.
4. Strong Passwords: Enforce strong, unique passwords for all SQL logins. Use upper- and lower-case letters, numbers, and special characters to enhance password security.
5. Account Lockout Policies: Implement account lockout policies that temporarily lock out SQL Server logins after multiple failed attempts. This deters brute force attacks.
6. Audit SQL CLR Assemblies: Review and deactivate SQL CLR assemblies that are not essential. Routinely assess and remove any redundant assemblies to mitigate potential vulnerabilities.
7. Encrypt Data in Transit: Use SSL/TLS protocols to encrypt data between clients and SQL servers during transmission. This safeguards against potential eavesdropping and data interception.
8. Keep an Eye on SQL Server Activity: Utilize SQL Server auditing to meticulously track and log every operation within your SQL Server instance. You can swiftly detect and address any potential security risks by actively monitoring these activities.
9. Stay Updated: Regularly apply the latest updates and patches to your SQL Server instance, Operating System, and other installed applications. This helps mitigate known vulnerabilities and ensures ongoing security.

Impact on Shared Data During Ransomware Incidents

We’ve seen a repeating situation in many Ransomware attacks where shared files on the network are also impacted. Even though security software protects individual computers, there’s still a big worry about files being changed through shared data.

Precautionary measures for minimizing Shared Data Damage Within the Network:

1. Restricting Access to Shared Folders: Use network separation to limit access to shared folders only to those who need it. Apply strong access controls to ensure that only authorized individuals can make changes to shared data on a network.
2. Regular Data Backups: Consistently back up shared data to a secure and isolated location. Periodically test backups to verify data integrity and to ensure a swift data restoration process in the event of an attack.
3. Scheduled Offline Backups: Maintain offline backups of critical shared data to protect against ransomware attacks that may attempt to encrypt live/online backups.

By adhering to these precautions, we can significantly reduce the risk of Mallox Ransomware attacks targeting Microsoft SQL Server instances and bolster the overall security posture of our environment.

How does Quick Heal/SEQRITE protect its customers from Mallox Ransomware?

Quick Heal/SEQRITE AV has signatures for various script files utilized in the attack, as well as for the Ransom payload. Below are the signatures against this Ransomware:

• Mallox.S28994722
• Downloader.Boxter.47436
• Agent.CQ
• Trojan-Downloader.A8341828
• Script.Trojan.A8269601