The emergence of Kryptina RaaS, a free and open-source platform for Linux, initially struggled to gain attention in the cybersecurity realm. However, this all changed after a Mallox affiliate’s staging server was leaked in May 2024, leading to the rise of a modified version called Mallox v1.0 that quickly caught the eye of threat actors looking to launch ransomware campaigns.
A recent study delved into the data exposed in the leak, shedding light on the disparities between the original Kryptina RaaS (v2.2) and the new Mallox v1.0. The analysis revealed that the Mallox variant comes packed with enhancements to the platform’s functionality, making it a more attractive option for cybercriminals seeking to carry out ransomware attacks.
Mallox, an established ransomware-as-a-service platform that has been active since 2021, primarily targets enterprises using vulnerabilities and brute force tactics. Initially developed by “Corlys,” Kryptina was eventually leaked online, uncovering its source code and direct link to Mallox.
The leak exposed how a Mallox affiliate utilized Kryptina for Linux payloads, hinting at a possible collaboration or customization between the two platforms. However, the unique aspects of Kryptina within the Mallox ecosystem suggest a nuanced relationship, potentially involving independent development or acquisition.
Threat actors repurposed the leaked Kryptina ransomware source code to create Mallox Linux 1.0, retaining essential functionalities like AES-256 CBC encryption and OpenSSL decryption. While efforts were made to remove Kryptina branding from most files, remnants still linger, such as references in function names within specific folders.
Moreover, modifications were made to ransomware note templates, encryptor source files, and payload build scripts to align with the Mallox branding, underscoring a tailored approach to the platform’s development. The makefiles for both Kryptina and Mallox were utilized to construct encryptor and decryptor payloads, offering customization options for various build modes and parameters.
The May 2024 leak uncovered a wealth of target-specific data, including victim subfolders containing critical files and tools essential for ransomware operations. Sentinel Labs noted the detailed nature of the config files, revealing specific payment information and ransom note content, suggesting a coordinated and targeted attack methodology.
Mallox malware leverages leaked affiliate servers to target Windows systems, using a range of tools for initial compromise and exploitation. The presence of PowerShell scripts, Java installers, and additional payload sets indicates a sophisticated operation geared towards infiltrating and infecting targeted systems efficiently.
In conclusion, the evolution of the Kryptina RaaS platform into the Mallox v1.0 variant signifies a significant development in the ransomware landscape, showcasing the adaptability and resilience of threat actors in the face of evolving cybersecurity defenses. The intricate relationship between Kryptina and Mallox underscores the intricate dynamics at play within the cybercrime ecosystem, shaping the future of ransomware operations worldwide.