A new variant of the Mallox ransomware [1], known as Mallox Linux 1.0 [2], has recently surfaced, targeting Linux and VMware ESXi environments [2]. This variant [1], derived from the leaked Kryptina ransomware code [2], demonstrates the adaptability of ransomware operations within the cyber threat landscape.

Description

A new strain of the Mallox ransomware, named Mallox Linux 1.0 [2], has been identified as originating from the Mallox ransomware group. This variant has shifted its focus towards Linux and VMware ESXi environments. It is based on the leaked Kryptina ransomware code and maintains the AES-256 encryption mechanism and decryption routines of Kryptina. This development [1] [2], discovered by SentinelLabs at LABScon 2024 [1], highlights the trend of repurposing abandoned ransomware tools by more sophisticated threat actors [1]. The leaked data also revealed configurations for multiple Mallox campaigns targeting a minimum of 14 victims [1], showcasing the intricate landscape of cross-pollinated toolsets and non-linear codebases in the cyber threat environment. SentinelLabs predicts the incorporation of outlier platforms like Kryptina into the tactics [1], techniques [1], and procedures (TTPs) of advanced threat actors in the future [1].

Conclusion

The emergence of Mallox Linux 1.0 underscores the evolving nature of ransomware attacks, with threat actors adapting and repurposing existing tools to target new environments. Organizations should remain vigilant and implement robust cybersecurity measures to mitigate the risks posed by such advanced threats. The integration of outlier platforms like Kryptina into the arsenal of sophisticated threat actors signals a need for enhanced cybersecurity strategies to combat the evolving threat landscape.

References

[1] https://www.infosecurity-magazine.com/news/kryptina-ransomware-resurfaces/
[2] https://www.beforecrypt.com/en/news-week-september-16th-to-september-23rd-2024/