Article Details
Scrape Timestamp (UTC): 2024-09-23 18:33:17.159
Original Article Text
Click to Toggle View
New Mallox ransomware Linux variant based on leaked Kryptina code. An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems. This version, according to SentinelLabs, is separate from other Linux-targeting variants of Mallox, such as the one described last June by Trend Micro researchers, highlighting the shifting tactics of the ransomware ecosystem. Also, this is another sign that Mallox, previously a Windows-only malware, is putting Linux and VMWare ESXi systems into its crosshairs, marking a significant evolution for the operation. From Kryptina to Mallox Kryptina was launched as a low-cost ($500-$800) ransomware-as-a-service (RaaS) platform for targeting Linux systems in late 2023 but failed to gain traction in the cybercrime community. In February 2024, its purported administrator, using the alias "Corlys," leaked Kryptina's source code for free on hacking forums, which was presumably acquired by random ransomware actors interested in getting their hands on a working Linux variant. After a Mallox affiliate suffered an operational error and exposed their tools, SentinelLabs discovered that Kryptina had been adopted by the project and its source code was used for building rebranded Mallox payloads. The rebranded encryptor, named "Mallox Linux 1.0," uses Kryptina's core source code, the same AES-256-CBC encryption mechanism and decryption routines, and also the same command-line builder and configuration parameters. This indicates that the Mallox affiliate only modified the appearance and name, removed references to Kryptina on ransom notes, scripts, and files, and transposed the existing documentation into a "lite" form, leaving all the rest unchanged. Apart from Mallox Linux 1.0, SentinelLabs found various other tools on the threat actor's server, including: Currently, it remains uncertain whether the Mallox Linux 1.0 variant is being used by a single affiliate, multiple affiliates, or all Mallox ransomware operators alongside the Linux variant discussed in our previous report.
Daily Brief Summary
The Mallox ransomware group has developed a Linux-targeting variant using leaked source code from Kryptina ransomware.
SentinelLabs identified that the new variant, dubbed "Mallox Linux 1.0", largely retains the core features of Kryptina, such as AES-256-CBC encryption.
This development marks Mallox's strategic expansion from previously targeting only Windows systems to now including Linux and VMware ESXi systems.
Originally priced between $500-$800, the Kryptina ransomware failed to attract significant interest and its source code was ultimately leaked by its administrator "Corlys" in early 2024.
The leaked code was repurposed by a Mallox affiliate, following an operational mishap that exposed their tools, to create Mallox Linux 1.0, modifying only superficial elements like naming and documentation.
It remains unclear if this new Linux variant is being deployed by one specific affiliate or if it has been adopted by all operators within the Mallox ransomware ecosystem.
The incident highlights ongoing shifts and adaptations within the ransomware landscape, reflecting broader trends in cyber threat development and distribution.