{ "id": "44b1b070-ea5f-4249-af0d-dc5a8f5c2d6d", "created_at": "2026-04-06T00:17:31.507307Z", "updated_at": "2026-04-10T03:27:57.476063Z", "deleted_at": null, "sha1_hash": "05857a0c83ba3fe01050dd3f7a41e6983f303e73", "title": "A Victim of Mallox Ransomware: How Truesec CSIRT Fought Back", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1312098, "plain_text": "A Victim of Mallox Ransomware: How Truesec CSIRT Fought\r\nBack\r\nBy Hjalmar Desmond\r\nPublished: 2024-01-15 · Archived: 2026-04-05 21:36:16 UTC\r\nTruesec CSIRT helped a company recover from a full-scale ransomware attack from the threat actor Mallox. In\r\nthis blog post I will share insights into the techniques, tactics, and procedures (TTPs) of the threat actor.\r\nMallox is a Ransomware-as-a-Service (RaaS)\r\nRansomware-as-a-Service (RaaS) is a cybercrime business model where operators maintain software, websites,\r\ninfrastructure, and other features needed to conduct ransomware attacks. Affiliates of the RaaS program conduct\r\nthe attacks and the profits are then shared between the affiliate and the operator. The Mallox ransomware has been\r\nactive since the middle of 2021.\r\nIn this article I share some insights into the incident response that allowed the victim to fully recover from the\r\nransomware attack. I will refer to Mallox as the threat actor, but it’s important to remember that it could also be an\r\naffiliate of the RaaS model.\r\nTechniques of the threat actor has been split into the following categories:\r\nInitial Access – How the threat actor gained acess to the victims IT infrastructure.\r\nPersistence – Backdoors created by the threat actor to allow for persistent access the victim environment,\r\nwithout relying on the initial access vector.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 1 of 8\n\nPrivilege Escalation -The techniques used by the threat actor to gain the right privileges needed for the\r\nattack (this is when they obtain domain admin credentials usually).\r\nNetwork Enumeration – Activities by the threat actor to map the victim IT infrastructure.\r\nLateral Movement – How the threat actor moved within the IT infrastructure during the attack. This is\r\noften done to find systems and credentials for launching the ransomware attack. Additionally its often at\r\nthis stage the threat actor identifies systems with sensitive information. Potential targets for data\r\nexfiltration.\r\nExfiltration – Stealing of data which later on is used by the threat actor in the extortion.\r\nThe Mallox Ransomware – Description of how the ransomware exactable functions (reverse\r\nengineering).\r\nExtortion – How the threat actor extorts its victims to pay.\r\nInitial Access\r\nThe Mallox threat actor is known for exploiting unsecured MSSQL servers for initial access. In this incident, the\r\nfirst traces of the threat actor were seen on an exposed web server running MSSQL. In the Appdata directory for\r\nthe service account running the SQL service several dropper PowerShell scripts were observed. For instance, one\r\nscript called “alta.ps1”.\r\nA good explanation of the method the Mallox ransomware threat actor uses to gain initial access can be found in\r\nthe following blog-post by Unit42.\r\nThe Truesec CSIRT have also investigated other attacks tied to the Mallox Ransomware. In these cases we’ve also\r\nobserved brute-force attacks from the threat actor targeting internet exposed MSSQL services.\r\nPersistence\r\nAfter the threat actor gained initial access to the web server, they immediately installed AnyDesk. A similar\r\napproach also used by the ransomware threat actor Akira (for further reading, see this blog post) . By using\r\nlegitimate remote desktop software as a backdoor, the threat actor created a convenient way to gain persistent\r\naccess to the victim environment without relying on malware.\r\nThe below screenshot shows an example of the AnyDesk application. The screenshot is not directly from the\r\ninside the victim environment, but it shows how the application looks like from a user perspective. The software\r\ncan be downloaded from the AnyDesk website.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 2 of 8\n\nPrivilege Escalation\r\nThe threat actor used Mimikatz to dump the credentials on the server they gained their initial access on. These\r\ncredentials yielded the information that enabled them to access the environment as domain administrator.\r\nMimikatz is a an open-source tool commonly used by threat actors to steal credentials from a computer.\r\nIt’s worth noting that when the threat actor is able to get domain admin credentials, the whole domain is\r\nconsidered as compromised.\r\nNetwork Enumeration\r\nFor the threat actor to gain an understanding of the victim network, threat actors typically perform some kind of\r\nnetwork enumeration. In this incident, the Mallox threat actor used an application called netscan.exe. The\r\napplication is a legitimate tool developed by SoftPerfect. In the attack, the threat actor used version 6.2.1.0 and the\r\nfile was renamed to netscanold.exe.\r\nLateral Movement\r\nThe threat actor created an account called SystemUI, which was primarily used for lateral movement. The account\r\nwas created with a script called system.bat which the threat actor forgot to remove after their attack. A funny note\r\nhere is that the last line of the script is a comment saying, “REMOVE THIS FILE”.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 3 of 8\n\nData Exfiltration\r\nThe threat actor exfiltrates data using the legitimate software FileZilla. The software is a free tool which can be\r\nused to transfer files over FTP or SFTP.\r\nThe Mallox Ransomware\r\nWhen we discover malware samples during an incidents, they typically get analyzed by one of our reverse\r\nengineering specialists. In this case, the malware samples ozon.exe and net_[CUSTOMER_ID].exe where\r\ninvestigated. The latter filename contained the same customer ID that is presented in the ransom note. Both\r\nexecutables operate in a very similar way. Before encryption their process can be briefly summarized as:\r\n1. Disables recovery mechanisms using bcedit\r\n2. It checks the system language and approximate geographic location and terminates if it’s Russia or a near-by region .\r\n3. Changes the Windows power plan to highest performance.\r\n4. A DNS request to check internet connectivity.\r\n5. An HTTP POST request towards the C2 infrastructure containing information about the infected system\r\nand the Customer ID (Same as in the filename and the ransom note).\r\nAdditionally the malware does not encrypt files that have the following extensions:\r\n.msstyles .icl .idx .avast .rtp .mallox .sys .nomedia .dll .hta .cur .lock .cpl .ics .hlp .com .spl .msi .key\r\nThe encrypted files have the extension .mallab .\r\nAfter the encryption process is done, the threat actor leaves the following ransom note on the encrypted system.\r\nThe note is found inside all encrypted folders.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 4 of 8\n\nExtortion using the Mallox Darkweb Blog\r\nSimilar to most ransomware threat actors, Mallox uses the double extortion technique. First the threat actor asks\r\nfor a ransom to decrypt the files. After the attack, the threat actor threatens to publish exfiltrated data on their\r\nDarket blog.\r\nThe screenshot below was taken during the writing of this post, the victim is not one of the listed companies.\r\nHowever, it does show how their darkweb leak site looks like.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 5 of 8\n\nThe image is censored to not expose any of the threat actors victims. But if you are curious about the business that\r\nhappens on the Darkweb, check out this webinar.\r\nWebinar - A Glimpse at the Dark Web and Why You Need to Be There\r\nRecovery – How we fought back!\r\nTo restore the IT environment for the victim a laundry process was used. Servers were either rebuilt or recovered\r\nfrom backups. When server backups are used, they go through an extensive cleaning process to both eliminate all\r\nknown traces of the threat actor, and deeper analysis and threat hunting to detect potentially unknown threats.\r\nThe recovery process goes alongside the forensic investigation throughout most of the incident. It’s important to\r\nremember that the in order to properly recover from a Ransomware attack, it’s crucial to identify the activities\r\nmade by the threat actor. For instance, if the initial access vector is not identified the threat actor could enter the\r\nenvironment again and the attack could be repeated.\r\nLessons Learned\r\nVulnerable servers exposed to the internet provides initial access for threat actors. The Mallox\r\nransomware would not have affected this company if they had patched their internet facing MS SQL server.\r\nIt’s also recommended to review what services are accessible from internet. Typically, our recommendation\r\nis to not have SQL servers internet facing.\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 6 of 8\n\nEvaluate detection and response capabilities – Does the existing solution block and detect modern\r\nthreats? Are the alerts monitored? Consider using a security operations center (SOC) to monitor and\r\nrespond to alerts from security products.\r\nTo prevent lateral movement, its crucial to have secure Active Directory. A good approach is to implement\r\nadministrative Tiering. In this blog post , my collogue Mikael Nyström wrote about how to properly protect\r\nhigh privilege accounts, for instance by implementing administrative tiering. There is also a great 15\r\nminute tutorial for how to secure your Active Directory using tiering.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nHow to Secure Active Directory (AD Tiering) - Tutorial 15 min\r\nIndicators of Compromise (IOCs)\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 7 of 8\n\nFiles:\r\nsystem.bat (SHA256=0e05b8d0a88660c00510abde3aade43291e774880ed001e3a88dbb753dcb6f52)\r\nnetscanold.exe (SHA256=572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b)\r\naddt.ps1(SHA256=dc404d498cc6443db5c872e6acfa394641c83313263fe2373535d7eeb49a62e9 )\r\nozon.exe\r\nIPv4 Addresses:\r\n91.215.85.142 \r\n80.66.75.66\r\n80.66.75.37 \r\n198.27.110.201\r\n34.197.32.16   \r\n203.154.255.114\r\n103.39.109.50\r\n195.3.146.183\r\nReferences\r\nFindings and conclusions originate from incidents investigated by the Truesec CSIRT and from Truesec Threat\r\nIntelligence. The other resources used in this article are:\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nhttps://www.truesec.com/hub/blog/a-victim-of-akira-ransomware\r\nhttps://deploymentbunny.com/2023/11/01/webinar-5-key-issues-uncovered-during-incident-response/\r\nhttps://www.youtube.com/watch?v=OPwR2UFDYR0\r\nhttps://anydesk.com/en\r\nhttps://github.com/ParrotSec/mimikatz\r\nhttps://filezilla-project.org/\r\nStay ahead with cyber insights\r\nNewsletter\r\nStay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and\r\nindustry news directly to your inbox. Join our community of professionals and stay informed about emerging\r\nthreats, best practices, and exclusive updates from Truesec.\r\nSource: https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nhttps://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back" ], "report_names": [ "a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434651, "ts_updated_at": 1775791677, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05857a0c83ba3fe01050dd3f7a41e6983f303e73.pdf", "text": "https://archive.orkl.eu/05857a0c83ba3fe01050dd3f7a41e6983f303e73.txt", "img": "https://archive.orkl.eu/05857a0c83ba3fe01050dd3f7a41e6983f303e73.jpg" } }