Mallox attacks Contec Systems

Incident Date:

July 29, 2023

World map



Mallox attacks Contec Systems


Contec Systems




Pottstown, USA

Pennsylvania, USA

First Reported

July 29, 2023

The Mallox Ransomware Gang's Attack on Contec Systems

The Mallox ransomware gang has attacked Contec Systems. Contec Systems is an environmental reporting company founded in 1990 and headquartered in Pottstown, Pennsylvania, USA. Mallox posted Contec Systems to its data leak site on July 29th, threatening to publish all stolen data by August 10th if the organization fails to pay the ransom.

Mallox is an emerging RaaS that first emerged in October of 2021 using a ransomware variant dubbed “tohnichi” for its file extension. The group then introduced a variant that appended files with “.mallox” which resulted in most researchers calling the group “Mallox.” Mallox was notable for its swift encryption speed, ability to bypass security tools like Windows Defender, and deletion of Shadow Copies to thwart encryption rollback.

Increasing Attack Volume and Ransom Demands

Mallox attack volume was low but began to accelerate in late 2022 and continues to increase in Q1-2023. There is not much info on how much Mallox demands for ransoms, but they appear to be relatively low compared to leading threat actors (in the thousands of dollars). Still, they are a newer group that has only recently started to recruit affiliates, and they are constantly improving their malware, so we expect ransom demands to increase.

Unique Delivery Methods and Advanced Techniques

Mallox employs a unique delivery method for the ransomware payload that does not require a loader but instead uses a batch script to inject into the “MSBuild.exe” process in memory to evade detection. Mallox has been observed using advanced TTPs like DLL hijacking, which is not common to ransomware attacks. Mallox uses the Chacha20 algorithm for encryption. In 2023, they began using a variant that appends with “.xollam” which leverages malicious OneNote file attachments for infection, where earlier variants targeted vulnerable MS SQL instances.

Recruitment and Targeting Strategy

Mallox only recently appears to be recruiting affiliates for a RaaS platform, so this group is one to watch. Mallox has hit some critical infrastructure IT providers but seems to be opportunistic, hitting targets primarily in the US and India.

It is unclear if Mallox engages in data exfiltration for double extortion, but they likely will follow other attackers in using this tactic as they develop their RaaS platform.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.