Interview with Mallox ransomware group
Interview with Mallox ransomware group
Marco A. De Felice aka amvinfe 01/16/2023 ADIVA Co. LtdChaCha20FargoInterviewMalloxRansomwareTargetCompany
Share via:
Twitter
Facebook
More
Mallox is certainly one of the longest-lived ransomware groups still in full swing today, we were able to observe its first file samples since June 2021, at which time some industry analysts classified it with the name of “TargetCompany ransomware”.
A year later, in mid to late 2022, the same group was given the name of Fargo; due to the extension it currently adds to encrypted files, it is now classified under the name of Mallox ransomware.
Between November and December 2022, some laboratories of companies in the sector (Cyble, Fortinet, K7 Computing, Sangfor), recorded a peak of samples attributable to Mallox. This increase has prompted us to want to know more, which is why in recent days we have contacted the ransomware group asking for an interview.
SuspectFile – During the last months of last year, several companies working in the field of information security dedicated ample space to your group reporting an increase in your activity. A few weeks later you decided on a makeover of your blog. Why this choice?
Mallox – We do not like excessive attention among those who oppose us and we do not have a goal in increasing awareness. Blogging is an additional reason to pay us. The latest changes are due to technical reasons and we did not restore old posts
SuspectFile – Your group was first reported as early as June 2021 under the name of TargetCompany, then towards the end of 2022 you were identified under the name of Fargo, most recently with Mallox. Each change corresponds to a new ransomware variant or have you kept the initial characteristics, and the algorithm you use to encrypt files is still ChaCha20?
Mallox -The project was used by various groups until we bought it. Despite the large number of shortcomings, we chose it, because its foundation was impeccable. We knew for sure that based on our experience, we can make it perfect for us. We accompanied each major update with a change in the extension, since the encryption algorithm changed and it was required to use decryptors with different characteristics. But as I said, the basic characteristics (the ChaCha20 algorithm) were flawless and did not require changes.
SuspectFile – In recent months we have had the opportunity to observe many of your chats, in all of which you asked for a very small ransom (in the order of a few thousand $) despite the fact that the victims did not belong to a “low target”. In addition to the value in terms of corporate capital of the affected entity, through which indicators do you quantify the initial price that the victim must pay you?
Mallox – We rely more on the amount of damage caused, which is expressed in the amount of encrypted data and its value. Even if the company has a lot of capital, it will try to do everything possible not to pay and recover what is possible. We give a choice to the client who is better off paying us than incurring higher recovery costs
SuspectFile – Can you tell us, even if only indicatively, what your earnings have been from 2021 to today?
Mallox – We do not calculate income and do not even disclose approximate information about finances
SuspectFile – From the analyzes carried out on some samples of the ransomware several factors emerge, some precise characteristics of the ransomware, but one most of all has caught our interest: the shutdown of the services attributable to the GPS. Why stop that kind of service?
Mallox – This is due to the fact that we often met it. We disable unnecessary services that consume resources so that nothing can interfere with the encryption process
SuspectFile – It would seem you do not hit entities belonging to Kazakhstan, Russia, Qatar, Ukraine, is that correct?
Mallox – Yes, but this is due to the personal decision of the developer to limit our work to these regions. We have no prejudices or preferences in which countries to work
SuspectFile – Physically, do you carry out your operations from Europe or from other continents?
Mallox – We carry out our work from the European region.
SuspectFile – Do you consider yourself a politically linked ransomware group?
Mallox – Absolutely no. For us, the main and only goal is to receive monetary profit.
SuspectFile – As we have already written, at the beginning of 2023 you “emptied” your blog of the names of your old victims, 6 at the moment the known ones, none referred to educational or health entities. SuspectFile pays great attention to these types of victims who we believe should never join the lists of ransomware groups or their affiliates.
Do you have a specific target when identifying a victim or does it make no difference to you?
Mallox – We are most focused on the commercial sectors. Given a choice, we will not purposefully encrypt hospitals and welfare-related businesses.
SuspectFile – Can you confirm that the number of your victims is the one reported as 6, or is the number different? If so, how many are there in total?
ADIVA Co. Ltd
Ban Leong Technologies Ltd
Canny Elevator Co. Ltd
API MDC Technical Research Center Sdn Bhd
Aerotech Precision Manufacturing
CLUB DE TENIS LA PAZ
Mallox – The number of victims is in the thousands. We publish only a select few
In their latest response, the figure of “thousands” of victims seemed really excessive to us. We repeated the question
SuspectFile – You confirm your answer when you state
“The number of victims is in the thousands. […]”
Mallox – Everything is right there!
SuspectFile – Is Mallox Ransomware a closed group or does it have affiliates (RaaS)?
Mallox – We are open to suggestions, but at the moment it is a very small closed group. We are very careful about those who want to join us.
SuspectFile – One question we ask every group we interview is about the relationship a ransomware group has with its affiliates.
SuspectFile.com managed to read the chat between a victim and a group operator. In several cases, during the negotiation, some communication problems arose. The victim asked for concrete evidence of the data breach and the file tree, but the operator could not answer because all the data was in the affiliate’s hands. Don’t you think these situations can undermine the trustworthiness of a ransomware group?
Mallox – We do not aim to create a picture of reliability and we do not paint false hopes. We could take a screenshot of the data, but not download it. A screenshot or video cannot be proof of anything. A lot of people don’t believe us and it’s true. But it is a mistake to believe that anyone should believe us at all, because we are initially in the position of unfriendly persons
SuspectFile – In the recent past, some well-known ransomware groups have disbanded for various reasons, among them the total disagreement of some “guidelines” imposed by the top of the group. Was Mallox Ransomware also born from the dissolution of other groups or did you too, as happened for many others, as an affiliate, have you decided that it was time to work for yourself?
Mallox – We are a very small group of just a couple of people. Initially, our team worked in the ranks of another group. The separation was due to bureaucratization and lack of flexibility, because of which we did not earn serious money when we were limited by superiors
SuspectFile – Do you also think, like some other groups, that some cybersecurity companies that companies rely on as a “negotiator” eventually secretly enter into an agreement with the ransomware group? Has it ever happened to you?
Mallox – I do not consider cybersecurity companies to be always committed to complying with the law and playing fair game. I think that more than once they had to make a deal with us. They just make a decision that suits them
SuspectFile – In fact, most companies in any industry invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings companies should intervene on, given that very often (even in your case) the main door to a company’s IT systems is opened, unknowingly, by poorly trained personnel (we refer, for example, to phishing emails)?
Mallox – I do not think that every employee who uses a computer should understand IT. It is enough to follow the instructions and rules, which are determined by the department of security engineers and IT specialists. The problem is that many are not able to test the competence of IT staff and there is no methodology for testing knowledge. Failure to take digital hygiene seriously leads to devastating consequences that management personnel are unaware of.
SuspectFile – In the case of Adiva Co. LTD how did you get into their IT systems, via email, RDP, VPN, known vulnerability ?
Mallox – We use different approaches. Basically, we find vulnerabilities that are massive. Distribution through deception, when the client himself launches the virus, is not ethical enough for us. We don’t need to interact with the victim
SuspectFile – Is the number of Adiva Co. LTD data published (1GB) the total data exfiltrated?
Mallox – Often we do not publish all the information, there is no need for this
SuspectFile – If your answer is no, what is the total and is there also PII or PHI information?
Mallox – We have no goal to publish absolutely everything. Attention is shown only to the most serious and sensitive companies to data leaks.
SuspectFile – What do you think about the release of the LockBit code and the growing number of new groups that are emerging thanks to this data leak. Groups made up, very often, of very young people with no knowledge of IT security?
Mallox – Any leak of the code of such large groups as Lockbit or Conti is not something significant for me. For me, these products are highly overpriced and have a number of significant drawbacks that even I would not use them, although this is not obvious to those who are new or do not understand much about this topic.
SuspectFile – What reasons, if any, other than money and your abilities, motivated you to choose this path in your life?
Mallox – Interest in the topic of information security has been around for a long time and is not connected with money. When problems with a money arise, we resorted to using the abilities that we received
SuspectFile – What is your opinion about those larger groups that can boast more income and that thanks to this, at times, it seems that they give money a purely material value, given that for these groups having money only corresponds to having privileges and comfort?
Mallox – This is their achievement. They were able to attract the people who brought them such a profit. In this regard, they are better than us. Having financial resources, they have more opportunities for the development and improvement of software. I don’t think they have purely material motives. For many, a sense of influence is very important.
SuspectFile – Finally, how should I write your name Mallox or MalLox?
Marco A. De Felice aka amvinfe 01/16/2023 ADIVA Co. LtdChaCha20FargoInterviewMalloxRansomwareTargetCompany
Share via:
More
Mallox is certainly one of the longest-lived ransomware groups still in full swing today, we were able to observe its first file samples since June 2021, at which time some industry analysts classified it with the name of “TargetCompany ransomware”.
A year later, in mid to late 2022, the same group was given the name of Fargo; due to the extension it currently adds to encrypted files, it is now classified under the name of Mallox ransomware.
Between November and December 2022, some laboratories of companies in the sector (Cyble, Fortinet, K7 Computing, Sangfor), recorded a peak of samples attributable to Mallox. This increase has prompted us to want to know more, which is why in recent days we have contacted the ransomware group asking for an interview.
SuspectFile – During the last months of last year, several companies working in the field of information security dedicated ample space to your group reporting an increase in your activity. A few weeks later you decided on a makeover of your blog. Why this choice?
Mallox – We do not like excessive attention among those who oppose us and we do not have a goal in increasing awareness. Blogging is an additional reason to pay us. The latest changes are due to technical reasons and we did not restore old posts
SuspectFile – Your group was first reported as early as June 2021 under the name of TargetCompany, then towards the end of 2022 you were identified under the name of Fargo, most recently with Mallox. Each change corresponds to a new ransomware variant or have you kept the initial characteristics, and the algorithm you use to encrypt files is still ChaCha20?
Mallox -The project was used by various groups until we bought it. Despite the large number of shortcomings, we chose it, because its foundation was impeccable. We knew for sure that based on our experience, we can make it perfect for us. We accompanied each major update with a change in the extension, since the encryption algorithm changed and it was required to use decryptors with different characteristics. But as I said, the basic characteristics (the ChaCha20 algorithm) were flawless and did not require changes.
SuspectFile – In recent months we have had the opportunity to observe many of your chats, in all of which you asked for a very small ransom (in the order of a few thousand $) despite the fact that the victims did not belong to a “low target”. In addition to the value in terms of corporate capital of the affected entity, through which indicators do you quantify the initial price that the victim must pay you?
Mallox – We rely more on the amount of damage caused, which is expressed in the amount of encrypted data and its value. Even if the company has a lot of capital, it will try to do everything possible not to pay and recover what is possible. We give a choice to the client who is better off paying us than incurring higher recovery costs
SuspectFile – Can you tell us, even if only indicatively, what your earnings have been from 2021 to today?
Mallox – We do not calculate income and do not even disclose approximate information about finances
SuspectFile – From the analyzes carried out on some samples of the ransomware several factors emerge, some precise characteristics of the ransomware, but one most of all has caught our interest: the shutdown of the services attributable to the GPS. Why stop that kind of service?
Mallox – This is due to the fact that we often met it. We disable unnecessary services that consume resources so that nothing can interfere with the encryption process
SuspectFile – It would seem you do not hit entities belonging to Kazakhstan, Russia, Qatar, Ukraine, is that correct?
Mallox – Yes, but this is due to the personal decision of the developer to limit our work to these regions. We have no prejudices or preferences in which countries to work
SuspectFile – Physically, do you carry out your operations from Europe or from other continents?
Mallox – We carry out our work from the European region.
SuspectFile – Do you consider yourself a politically linked ransomware group?
Mallox – Absolutely no. For us, the main and only goal is to receive monetary profit.
SuspectFile – As we have already written, at the beginning of 2023 you “emptied” your blog of the names of your old victims, 6 at the moment the known ones, none referred to educational or health entities. SuspectFile pays great attention to these types of victims who we believe should never join the lists of ransomware groups or their affiliates.
Do you have a specific target when identifying a victim or does it make no difference to you?
Mallox – We are most focused on the commercial sectors. Given a choice, we will not purposefully encrypt hospitals and welfare-related businesses.
SuspectFile – Can you confirm that the number of your victims is the one reported as 6, or is the number different? If so, how many are there in total?
ADIVA Co. Ltd
Ban Leong Technologies Ltd
Canny Elevator Co. Ltd
API MDC Technical Research Center Sdn Bhd
Aerotech Precision Manufacturing
CLUB DE TENIS LA PAZ
Mallox – The number of victims is in the thousands. We publish only a select few
In their latest response, the figure of “thousands” of victims seemed really excessive to us. We repeated the question
SuspectFile – You confirm your answer when you state
“The number of victims is in the thousands. […]”
Mallox – Everything is right there!
SuspectFile – Is Mallox Ransomware a closed group or does it have affiliates (RaaS)?
Mallox – We are open to suggestions, but at the moment it is a very small closed group. We are very careful about those who want to join us.
SuspectFile – One question we ask every group we interview is about the relationship a ransomware group has with its affiliates.
SuspectFile.com managed to read the chat between a victim and a group operator. In several cases, during the negotiation, some communication problems arose. The victim asked for concrete evidence of the data breach and the file tree, but the operator could not answer because all the data was in the affiliate’s hands. Don’t you think these situations can undermine the trustworthiness of a ransomware group?
Mallox – We do not aim to create a picture of reliability and we do not paint false hopes. We could take a screenshot of the data, but not download it. A screenshot or video cannot be proof of anything. A lot of people don’t believe us and it’s true. But it is a mistake to believe that anyone should believe us at all, because we are initially in the position of unfriendly persons
SuspectFile – In the recent past, some well-known ransomware groups have disbanded for various reasons, among them the total disagreement of some “guidelines” imposed by the top of the group. Was Mallox Ransomware also born from the dissolution of other groups or did you too, as happened for many others, as an affiliate, have you decided that it was time to work for yourself?
Mallox – We are a very small group of just a couple of people. Initially, our team worked in the ranks of another group. The separation was due to bureaucratization and lack of flexibility, because of which we did not earn serious money when we were limited by superiors
SuspectFile – Do you also think, like some other groups, that some cybersecurity companies that companies rely on as a “negotiator” eventually secretly enter into an agreement with the ransomware group? Has it ever happened to you?
Mallox – I do not consider cybersecurity companies to be always committed to complying with the law and playing fair game. I think that more than once they had to make a deal with us. They just make a decision that suits them
SuspectFile – In fact, most companies in any industry invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings companies should intervene on, given that very often (even in your case) the main door to a company’s IT systems is opened, unknowingly, by poorly trained personnel (we refer, for example, to phishing emails)?
Mallox – I do not think that every employee who uses a computer should understand IT. It is enough to follow the instructions and rules, which are determined by the department of security engineers and IT specialists. The problem is that many are not able to test the competence of IT staff and there is no methodology for testing knowledge. Failure to take digital hygiene seriously leads to devastating consequences that management personnel are unaware of.
SuspectFile – In the case of Adiva Co. LTD how did you get into their IT systems, via email, RDP, VPN, known vulnerability ?
Mallox – We use different approaches. Basically, we find vulnerabilities that are massive. Distribution through deception, when the client himself launches the virus, is not ethical enough for us. We don’t need to interact with the victim
SuspectFile – Is the number of Adiva Co. LTD data published (1GB) the total data exfiltrated?
Mallox – Often we do not publish all the information, there is no need for this
SuspectFile – If your answer is no, what is the total and is there also PII or PHI information?
Mallox – We have no goal to publish absolutely everything. Attention is shown only to the most serious and sensitive companies to data leaks.
SuspectFile – What do you think about the release of the LockBit code and the growing number of new groups that are emerging thanks to this data leak. Groups made up, very often, of very young people with no knowledge of IT security?
Mallox – Any leak of the code of such large groups as Lockbit or Conti is not something significant for me. For me, these products are highly overpriced and have a number of significant drawbacks that even I would not use them, although this is not obvious to those who are new or do not understand much about this topic.
SuspectFile – What reasons, if any, other than money and your abilities, motivated you to choose this path in your life?
Mallox – Interest in the topic of information security has been around for a long time and is not connected with money. When problems with a money arise, we resorted to using the abilities that we received
SuspectFile – What is your opinion about those larger groups that can boast more income and that thanks to this, at times, it seems that they give money a purely material value, given that for these groups having money only corresponds to having privileges and comfort?
Mallox – This is their achievement. They were able to attract the people who brought them such a profit. In this regard, they are better than us. Having financial resources, they have more opportunities for the development and improvement of software. I don’t think they have purely material motives. For many, a sense of influence is very important.
SuspectFile – Finally, how should I write your name Mallox or MalLox?
