Mallox Ransomware Operators Develop Linux Variant with Leaked Kryptina Code

Date:

September 24, 2024

World map

An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of the Kryptina ransomware to target Linux systems, Bleeping Computer reports.  

Previously focused on Windows systems, Mallox has expanded its operations to include Linux and VMWare ESXi environments, signifying a notable shift in its tactics. The variant, dubbed "Mallox Linux 1.0," utilizes the core source code of Kryptina, a ransomware-as-a-service (RaaS) platform launched in late 2023, which failed to gain popularity.

In February 2024, Kryptina’s administrator, using the alias "Corlys," leaked its source code online, allowing others to repurpose it. Mallox Linux 1.0 uses the same encryption (AES-256-CBC), decryption routines, and configuration settings as Kryptina, with only minor changes such as name rebranding and altered ransom notes. The ransomware's source code was modified slightly to fit the Mallox ecosystem.

Researchers also discovered additional malicious tools on the threat actor’s server, including privilege escalation exploits, payload droppers, and data folders for 14 potential victims. The extent to which the new Linux variant is being used—whether by one or multiple affiliates—remains unclear, but this marks a significant expansion in Mallox’s ransomware operations.

Takeaway: Mallox is just the latest ransomware operator to introduce a Linux variant. Mallox first emerged in October of 2021. Attack volume surged in 2023 by 174% over 2022 levels, but attack volume subsided in Q4–2023 and the group was all but inactive in the first half of 2024. The development of a new Linux variant could be a sign the group is poised for resurgence.

Ransomware, once predominantly a Windows-centric threat, has rapidly evolved into a significant threat for Linux environments, as the introduction of Linux variants represents a significant expansion of the addressable target range.

One of the most pressing concerns is that Linux environments are often not designed with ransomware-specific defenses in mind. Many organizations focus their security measures on Windows systems, underestimating the vulnerabilities unique to Linux platforms.  

Linux systems are no longer merely targets for encryption in ransomware attacks; they are increasingly being exploited as ideal entry points for establishing persistence and facilitating lateral movement within a compromised network. These systems provide cybercriminals with a robust platform to infiltrate deeper into the network, enabling them to steal sensitive data while masking the exfiltration within normal network traffic, making detection much more challenging.

Attackers are increasingly capitalizing on this oversight, exploiting weak SSH configurations, exposed ports, outdated software, and system misconfigurations. These vulnerabilities provide an entry point for lateral movement within a network, allowing attackers to encrypt or exfiltrate high-value data without needing to directly compromise the system itself.

Moreover, because Linux systems are typically "always on" and continuously available, they offer a perfect foothold for attackers to establish persistence and move undetected through the network. This constant availability provides an ideal environment for data exfiltration, which can often be hidden amidst normal network traffic, making detection and mitigation exceedingly difficult.

Linux servers are integral to backend services, databases, cloud computing, and the handling of high-value workloads. The growing dependency on these systems has made them an attractive and lucrative target for ransomware operators.

Ransomware attacks on Linux systems can lead to catastrophic disruptions, halting essential operations and causing widespread financial and reputational damage. While high-profile incidents, such as ransomware campaigns targeting VMware ESXi hypervisors, often steal the spotlight, the broader scope of traditional Linux systems remains perilously under protected.

This blind spot in many organizations' security strategies represents a critical vulnerability, leaving vital Linux-based systems and endpoints open to attack.

Linux systems often host mission-critical services—such as web servers, databases, and virtualized environments—making them a high-priority target for cybercriminals. A successful ransomware attack on these systems can result in total operational paralysis, extensive downtime, data loss, and staggering financial costs.  

Unlike Windows environments, where ransomware defenses are more commonly implemented, Linux servers are frequently less fortified, making them easier prey for attackers seeking to maximize disruption.

In enterprise settings, Linux servers are not only ubiquitous but are also responsible for the storage and processing of sensitive, high-value data. Cybercriminals exploit this fact, demanding higher ransoms due to the severe consequences of a successful attack.  

The impact of such incidents is exacerbated by the growing use of Linux in cloud infrastructures and virtualized environments. When ransomware compromises these Linux-based systems, it can cripple both physical and virtual assets, leading to prolonged service interruptions, encrypted data, and irreversible productivity losses.

Protecting Linux environments must no longer be an afterthought. Instead, organizations must adopt a proactive approach, ensuring robust ransomware defenses are applied uniformly across all platforms, particularly as Linux systems form the backbone of most enterprise infrastructures.

In today's threat environment, safeguarding Linux from ransomware is not just a best practice—it's a necessity. Organizations that fail to account for the growing risks to their Linux systems will likely face devastating operational and financial repercussions.  

With ransomware actors broadening their focus to include Linux, staying ahead of these evolving threats is critical for maintaining both security and business continuity.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.