The Mallox affiliate discovered by SentinelLabs exploited this leak, using Kryptina’s source code to develop a rebranded payload called Mallox Linux 1.0. This new variant utilizes Kryptina’s original AES-256-CBC encryption scheme, decryption routines, and command-line builder, with only minor modifications. Essentially, the affiliate rebranded the ransomware while keeping its core functionalities intact, removing references to Kryptina from the ransom notes, scripts, and files.
Kryptina source code on the exposed server
Source: SentinelLabs
Evolution of Mallox Ransomware Operations
Historically, Mallox has been a Windows-targeting ransomware operation. However, this latest discovery underscores the group’s pivot towards Linux environments, aligning with broader ransomware trends that target critical infrastructure such as VMware ESXi systems.
Mallox Linux 1.0 retains the simplicity of its predecessor, Kryptina, but with a new name and slightly tweaked documentation. This suggests that the affiliate focused primarily on rebranding while leveraging Kryptina’s functional and efficient encryption code.
The Mallox Linux 1.0 ransom note
Source: SentinelLabs
In addition to the Linux-targeting variant, SentinelLabs uncovered other tools associated with the Mallox operation, including:
- A Kaspersky password reset tool (KLAPR.BAT), a legitimate utility possibly used for gaining unauthorized access to compromised systems.
- An exploit for CVE-2024-21338, a privilege escalation vulnerability affecting Windows 10 and 11.
- Privilege escalation PowerShell scripts, potentially used to elevate access rights on Windows systems.
- Java-based Mallox payload droppers, which could be employed to deliver ransomware payloads across different platforms.
- Disk image files containing pre-configured Mallox payloads, ready for deployment.
- Data folders for 14 potential victims, indicating ongoing operations targeting organizations.