Brace yourselves, Linux users; your once safe haven might not be so safe anymore. The infamous Mallox ransomware, which was once a menace for Windows users only, has now set its sights on Linux, putting countless users at risk. This revelation came after a slip-up by cybercriminals themselves, who accidentally exposed their own tools, giving cybersecurity researchers at SentinelLabs the inside scoop. That is how they uncovered Mallox Linux 1.0, a new version of the ransomware ready to wreak havoc on Linux environments.
Mallox has been active since 2021, initially targeting unsecured MS-SQL servers on Windows. Now, it has expanded to Linux systems by adopting an older, lesser-known encryptor called Kryptina. Kryptina was created by a hacker known as “Corlys” and released last year. After failing to sell it for $800, Corlys made Kryptina freely available, hoping someone would use it. Mallox’s developers seized the opportunity by using Kryptina’s code, which is almost unchanged, including the encryption algorithm (AES-256-CBC) and decryption process. They made minor changes, like renaming it and removing any traces of its original source.
Linux users should be concerned about this shift since it indicates a change in threat dynamics. Typically, ransomware attacks are less common on Linux. Imagine Kryptina as a specific key designed to open a certain kind of door; that should help you understand how it works. Similar to how a key is designed to match a certain lock, Kryptina was created to bypass specific security measures.
This analogy helps illustrate how the Mallox developers used Kryptina’s unique features to breach previously inaccessible systems. The Mallox ransomware operators repurposed this tool, rebranded it, and adapted it to infiltrate into Linux systems, which have enjoyed more protection from such attacks. Now, Linux systems are no longer off-limits to ransomware. Hackers are expanding their horizons, going after systems that were once considered safer, meaning Linux users need to be more cautious as these attacks become more sophisticated.
While no specific victims have been confirmed in this Linux-targeted expansion, Mallox’s attacks have historically impacted firms across Brazil, Vietnam, and China. The ransomware is known for not discriminating based on geography, going after vulnerable companies wherever they may be. In some cases, victims in the European Union have also been threatened with GDPR fines to increase pressure.
This shift in tactic shows that ransomware is starting to attack different operating systems rather than sticking to just one. It acts as a wake-up call for Linux users to stay alert as these threats continue to evolve in sophistication and spread. As ransomware evolves, it is not just Windows’ concern; Linux is also in the crosshairs. Remember, an ounce of prevention is worth a pound of cure, which means everyone should take security seriously.
