Avast has unveiled a free decryption tool to assist victims of the Mallox ransomware attacks. The tool specifically targets files encrypted between 2023 and early 2024, which typically bear extensions such as .bitenc, .ma1x0, .mallab, .malox, .mallox, .malloxx, and .xollam.
This ransomware, initially identified in 2021 and also known by aliases such as Fargo, TargetCompany, and Tohnichi, operates under a ransomware-as-a-service (RaaS) model, predominantly targeting Microsoft SQL servers through opportunistic attacks.
Avast researchers identified a vulnerability within the ransomware’s cryptographic schema, enabling the development of this decryptor. However, it is crucial to note that the cryptographic flaw was rectified by Mallox developers in March 2024, limiting the tool's application to earlier versions.
Avast advises affected users to run the decryptor on the same machine where the data was encrypted to maximize the chances of successful recovery. The tool is pivotal for organizations across various sectors, including government, IT, legal services, manufacturing, and more, who have fallen prey to Mallox's double extortion tactics.
Mallox ransomware primarily targets Windows systems but has also been adapted to attack Linux and VMWare ESXi environments. It exploits unpatched vulnerabilities and weak passwords to gain initial access, deploying droppers and scripts to escalate privileges and deploy encryption tools.
The ransomware uses the ChaCha20 encryption algorithm and appends the ‘.rmallox’ extension to affected files. It further disrupts operations by terminating SQL database processes, encrypting critical files, and disabling shadow copies to thwart recovery efforts.
The release of this decryption tool by Avast represents a beacon of hope for countless organizations grappling with the aftermath of the Mallox attacks. Similarly, several fundamental security flaws in the Web infrastructure used by ransomware gangs like Everest, BlackCat, and Mallox saved six companies from having to pay potentially hefty ransom demands.
In June, the Federal Bureau of Investigation (FBI) offered thousands of LockBit decryption keys to the victims inside and outside the U.S. after a successful joint disruption operation.