This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in December 2023, as well as notable ransomware issues in Korea and other countries

 

Statistics

 

The total number of new ransomware samples collected during the past six months is as follows.

Figure 1. Number of new ransomware samples

 

Key Trends

 

Multiple issues regarding various ransomware occurred in December 2023. This report presents brief introductions to the following key topics and details for reference. Additionally, ransomware-related topics that had not been covered before were given a high priority when selecting issues for the end section. 

• Recent activities and changes in Mallox ransomware
• CISA cybersecurity advisory on Play ransomware
• Linux version of Qilin ransomware targets VMware ESXi

 

Readers are recommended to check and refer to issues that are not covered in this report through ATIP if the current security management system or situation requires so.

 

1) Recent Activities and Changes in Mallox Ransomware

 

SentinelOne uploaded a blog post titled “Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises” on December 13th, which covers the analysis of and responses to Mallox’s recent activities, initial access methods, and payloads.[1]

Mallox is a closed ransomware group consisting of a small number of members which was first reported as TargetCompany ransomware around June 2021. In late 2022, the gang was also called FARGO ransomware because “.FARGO” was added to the file extensions of encrypted files. Targets of initial infiltration were mainly externally exposed vulnerable MS-SQL or MySQL servers. If these servers have inappropriate account information and passwords, they can be breached through brute force and dictionary attacks. The Mallox group is known to avoid approaches that require interaction with the target such as deceiving victims into executing the malware for initial infiltration. Thus it is believed that it exploits vulnerable servers or vulnerabilities for initial access. The group is known to exclude Kazakhstan, Russia, Qatar, and Ukraine from its attacks and to only be motivated by financial gains through ransomware without political motives.

Please refer to the following TA introduction and links to related reports for previous information and analysis details on the Mallox ransomware gang. 

• atip.ahnlab.com: Threat Actors – Mallox ransomware
• atip.ahnlab.com: Mallox Ransomware Gang Designates a Korean Semiconductor Parts Company as a Victim
• asec.ahnlab.com: Mallox Ransomware Being Distributed in Korea
• atip.ahnlab.com: Fileless Method Used to Attack MS-SQL Servers
• asec.ahnlab.com: Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox)

 

According to the SentinelOne blog, the following changes were observed to the known information on the Mallox ransomware covered above. 

• Runs as a Ransomware-as-a-Service (RaaS) threat model
• Recruits affiliates through underground forums and markets such as Nulled and RAMP
• Uses phishing emails to send attack frameworks such as Cobalt Strike and Sliver
• Changed the ransom note file name to “HOW TO BACK FILES.TXT”
• Changed the contact email in the ransom note to “mallox.resurrection@onionmail.org”
• Besides the ransom note, also creates a file named “Targetinfo.txt” in the execution folder

 

A brief examination of changes to the behaviors and characteristics of Mallox will be given based on the sample used for initial infiltration shared by SentinelOne and a Mallox ransomware sample. 

• 3d434b7cc9589c43d986bf0e1cadb956391b5f9a       updt.ps1
• 9295a02c49aa50475aa7876ca80b3081a361ff7d        updt.ps1
• 3fa79012dfdac626a19017ed6974316df13bc6ff         Bwmeldokiller.bat
• 7e7957d7e7fd7c27b9fb903a0828b09cbb44c196       Kill-Delete.bat
• 2c49fa21b0a8415994412fe30e023907f8a7b46e        Mallox Ransomware Payloads – 32bit (Previous)
• 9d182e17f88e26cb0928e8d07d6544c2d17e99f5       Mallox Ransomware Payloads – 64bit (New)
• …

 

---

[1] https://www.sentinelone.com/blog/mallox-resurrected-ransomware-attacks-exploiting-ms-sql-continue-to-burden-enterprises/

 

MD5

417ad60624345ef85e648038e18902ab

SHA1

08a236455490d5246a880821ba33108c4ef00047

0d2711c5f8eb84bd9915a4191999afd46abca67a

0e45e8a5b25c756f743445f0317c6352d3c8040a

11d7779e77531eb27831e65c32798405746ccea1

246e7f798c3bfba81639384a58fa94174a08be80

SHA2

453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb

47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57

75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212

7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986

7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8

IP

80[.]66[.]75[.]37

80[.]66[.]75[.]40