CERT-In has issued a warning about the Mallox ransomware exploiting poorly secured MS-SQL servers through dictionary attacks.
By using this method as a penetration vector, the ransomware gains unauthorized access to victims’ networks, leading to potentially severe compromises and data breaches.
“It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victims ICT infrastructures to distribute the ransomware,” said the CERT-In alert.
“It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victims network infrastructure.”
This software is leaving a trail of chaos, and its latest strategy involves targeting unsecured Microsoft SQL Servers. The Mallox Ransomware follows a double extortion technique to maximize its impact.
Before encrypting an organization’s files, it stealthily steals sensitive data, weaponizing it as leverage against the victims.
The threat actors then threaten to expose this confidential information on leak sites unless the ransom is paid – a twisted cyber-blackmail at its finest.
It is crucial for organizations and individuals to ensure proper security measures are in place to protect their MS-SQL servers from such attacks and prevent falling victim to the Mallox ransomware, warn the CERT-In alert.
The modus operandi of Mallox ransomware
According to Unit 42 researchers, the activities of Mallox ransomware have surged by 174% compared to the previous year. This rise in attacks is a cause for concern and necessitates robust measures to counter the threat.
The cybercriminals behind Mallox have found a way to exploit unsecured MS-SQL servers as an entry point into victims’ networks, thereby amplifying their reach and the potential damage they can inflict.
The Mallox group employs a combination of tactics to carry out their criminal scheme successfully. They deploy brute force techniques on publicly exposed MS SQL instances to gain unauthorized access to victims’ networks.
Additionally, they utilize an array of tools like network scanners and data exfiltration techniques to cover their tracks and thwart security measures.
Once the Mallox Ransomware establishes a foothold in a target network, it strikes with deadly precision. The ransomware payload is downloaded from a remote server using the command line and PowerShell, setting the stage for the malevolent encryption process.
Before initiating encryption, the ransomware takes a series of preparatory steps to ensure its task is carried out smoothly. It attempts to halt and remove SQL-related services to access and encrypt the victim’s files effectively.
Moreover, it tries to delete volume shadows, making file restoration a daunting challenge for the afflicted organization.
To evade detection and impede forensic analysis, Mallox takes further calculated actions. The ransomware clears application, security, setup, and system event logs, leaving little trace of its activities.
It also manipulates file permissions, denies access to critical system processes, and terminates security-related services.
Raising the defenses: Tips to foil Mallox ransomware
Indian Computer Emergency Response Team (CERT-in) has shared its list of mitigations strategies to fight against the Mallox ransomware and steps to secure Microsoft SQL Server instances:
- Avoid exposing SQL Servers on the Internet’s default port (1433). Opt for secure connections like VPNs instead.
- Disable or strengthen the sa account to minimize the risk of unauthorized access.
- Audit SQL CLR Assemblies and remove any unwanted ones.
- Implement a firewall, allowing incoming traffic only from trusted networks and IP addresses.
- Keep SQL Server up to date with the latest patches and updates.
- Enforce the use of strong and unique passwords for all SQL logins.
- Configure account lockout policies to counter brute force attacks.
- Encrypt data in transit using SSL/TLS to protect against eavesdropping.
- Monitor SQL Server activity through auditing to detect and respond to threats promptly.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.