Mallox Ransomware Linux Variant Decryptor Found
The report analyzes the Mallox ransomware which has been active since mid-2021 and focuses on multi-extortion by encrypting victims data and threatening to post it on public TOR sites. Initially targeting Windows systems Mallox has now developed Linux variants using custom Python scripts for payload delivery and data exfiltration. The analysis reveals a Flask-based web panel for creating Linux ransomware builds with capabilities like user authentication build management and admin functions. The encryptor uses AES-256-CBC encryption with a specific key and IV appends the .lmallox extension to encrypted files and drops a ransom note. The report also includes decryptors for various build IDs and covers Uptycs XDR detection capabilities and indicators of compromise.