Avast researchers have identified a vulnerability in the cryptographic schema of the Mallox ransomware variant, allowing victims attacked between January 2023 and February 2024 to potentially restore their files for free. The crypto-flaw was corrected in March 2024, making decryption no longer feasible for later versions. Affected: Mallox ransomware victims
Keypoints :
- A flaw in the cryptographic schema of the Mallox ransomware variant was discovered.
- Victims of this specific variant could restore their files for free until March 2024.
- The Mallox ransomware was previously known as TargetCompany ransomware.
- Avast provided a decryptor for the earlier version in January 2022.
- Original cryptographic flaws were fixed by attackers, which disabled previous decryption methods.
- New mistakes in the updated schema allowed for the decryption of files without a private ECDH key.
- The decryptable versions were in circulation from January 2023 to February 2024.
- Victims could recognize encrypted files by specific extensions such as .mallox and .bitenc.
- Ransom notes were left in each folder containing instructions to recover files.
- Indicators of compromise (IOCs) including various file hashes of encrypted files were presented.
MITRE Techniques :
- T1486: Data Encrypted for Impact – The Mallox ransomware encrypts files and leaves ransom notes.
Indicator of Compromise :
- [MD5] a340ef5adb00a2bf1a0735600491ca98
- [MD5] 003ea0712cd31a75f5dfb6a23d2d12ea
- [MD5] 25719f4afa357af8141e42fa9a0499c0
- [MD5] 34c04dff26da88c339eeb1220f7e8ac8
- [MD5] 0706c9d8413a6ffb7dc68d6a69a9ced9
Full Story: https://www.gendigital.com/blog/insights/research/decrypted-mallox-ransomware