A recent incident involving an MSSQL honeypot has revealed the tactics used by cyber-attackers deploying Mallox ransomware [3].


The Sekoia research team’s honeypot was targeted by an intrusion set using brute-force techniques to deploy Mallox ransomware via PureCrypter [3] [4], exploiting vulnerabilities in MSSQL servers [2]. The attackers gained initial access through a brute-force attack on the “sa” account and persisted in brute-forcing throughout the observation period [3] [4]. They leveraged various techniques [1] [3], such as enabling parameters [4], creating assemblies [4], and executing commands via xp_cmdshell and Ole Automation Procedures [4], to execute the Mallox ransomware [3] [4]. The Mallox ransomware is distributed by the Mallox group [2] [3], a Ransomware-as-a-Service operation utilizing a double extortion strategy [3]. Two distinct affiliates were identified [3], with one focusing on vulnerable assets and the other on broader compromises of information systems [3]. Affiliates such as Maestro [1] [3] [4], Vampire [1] [2] [3] [4], and Hiervos were highlighted for their different tactics and ransom demands [3]. The hosting company Xhost Internet [3] [4], linked to AS208091 [3] [4], was implicated in the attack, raising suspicions due to its association with ransomware activity in the past. Sekoia.io analysts will continue to monitor activities associated with this AS and investigate related operations [3] [4].


This incident underscores the importance of securing MSSQL servers and implementing strong authentication measures to prevent brute-force attacks. Organizations should also be vigilant against ransomware attacks and regularly update their security protocols to mitigate risks. The identification of specific affiliates and their tactics provides valuable insights for cybersecurity professionals to enhance threat intelligence and response strategies. Continued monitoring and investigation of related operations will be crucial in staying ahead of evolving cyber threats.


[1] https://thecyberthrone.in/2024/05/13/mallox-ransomware-deployed-exploiting-sql-honeypots/
[2] https://cybersecuritynews.com/exploit-ms-sql-mallox-ransomware/
[3] https://www.infosecurity-magazine.com/news/mallox-ransomware-deployed-via-ms/
[4] https://ciso2ciso.com/mallox-ransomware-deployed-via-ms-sql-honeypot-attack-source-www-infosecurity-magazine-com/