Mallox attacks El Seif Development

Incident Date:

January 16, 2023

World map



Mallox attacks El Seif Development


El Seif Development




Riyadh, United Arab Emirates

, United Arab Emirates

First Reported

January 16, 2023

The Mallox Ransomware Attack on El Seif Development

The Mallox ransomware gang has attacked El Seif Development. El Seif Development is a medical equipment and pharmaceutical manufacturing company headquartered in Riyadh, Saudi Arabia. It employs around 3000 people and has ongoing business with 3,300 government hospitals and medical centers, 200 private hospitals, 2600 private clinics, and over 2,200 pharmacies. It has 15 warehouses scattered across different cities in Saudi Arabia and a large fleet exceeding 400 vehicles used for distribution and warehousing.

Mallox posted El Seif Development to its data leak site on January 16th, claiming to have stolen 18GB of data. Industry analysts first detected Mallox in June 2021. The group was initially dubbed "TargetCompany" because it appended encrypted files with the target company's name.

Evolution of Mallox Ransomware

In an interview conducted in January 2023, the threat actors responsible for Mallox clarified that each major update of the ransomware involved changing the encryption algorithm and decryptor characteristics. These updates were accompanied by modifications to file name extensions, leading to the evolution of the group's names.

Earlier variants of Mallox provided a contact site with the extension ".onion" for negotiations and delivered ransom notes titled "How to decrypt files.txt." However, the ransomware stopped using the targeted company's name as file name extensions in later variants.

During mid- to late 2022, the group was referred to as Fargo due to the extension added to its encrypted files at that time. Additional extensions employed by the ransomware group included ".mallox" and ".xollam." These later variants were observed utilizing a combination of Chacha20, Curve 25519, and AES-128 algorithms for file encryption.

Eventually, the ransomware group established a data leak site called Mallox, and subsequent variants dropped ransom notes labeled "HOW TO RECOVER!!.txt."

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.