Mallox Ransomware Expands to Linux with Rebranded Kryptina Variant
Mallox ransomware, traditionally a Windows-based threat, has expanded its operations by targeting Linux systems using a modified version of the Kryptina ransomware.
Mallox Expands Target to Linux Systems
An affiliate of the Mallox ransomware operation, also known as TargetCompany, has shifted its focus to Linux systems. This new tactic involves using a slightly modified version of the Kryptina ransomware, initially designed for Windows. According to SentinelLabs, this version is distinct from other Linux-targeting Mallox variants described last June by Trend Micro. It highlights the evolving ransomware ecosystem, as Mallox branches out from Windows to Linux and VMware ESXi systems.
Evolution from Kryptina to Mallox
Originally launched in late 2023, Kryptina was marketed as a low-cost ($500-$800) ransomware-as-a-service (RaaS) platform, specifically designed for Linux systems. However, it failed to gain popularity within the cybercrime community. In February 2024, a user going by the alias “Corlys” leaked Kryptina’s source code on hacking forums. This leak gave various ransomware actors access to a working Linux variant.
In an operational error, a Mallox affiliate exposed their tools, revealing that Kryptina’s source code had been repurposed by Mallox operators. SentinelLabs discovered that the new Mallox Linux 1.0 variant uses Kryptina’s core source code, encryption mechanism (AES-256-CBC), and decryption routines. The affiliate simply rebranded it, removing Kryptina references from ransom notes and scripts. They also condensed the existing documentation while leaving the technical foundation intact.
Mallox Linux 1.0 Tools and Methods
Aside from the Mallox Linux 1.0 variant, SentinelLabs uncovered additional tools on the threat actor’s server. These included:
- A legitimate Kaspersky password reset tool (KLAPR.BAT)
- An exploit for CVE-2024-21338 (a privilege escalation flaw in Windows 10/11)
- PowerShell scripts for privilege escalation
- Java-based Mallox payload droppers
- Disk image files containing Mallox payloads
- Data folders belonging to 14 potential victims
Currently, it remains unclear if Mallox Linux 1.0 is being used by a single affiliate or multiple operators within the Mallox ransomware group.
Conclusion: Stay Vigilant Against Evolving Ransomware Threats
With ransomware groups like Mallox broadening their targets to include Linux systems, businesses must prioritize security across all operating environments. Regular patching, strong authentication practices, and continuous monitoring are essential to mitigate risks.
Click below and ‘share’ this article!