Mallox ransomware description
Contents
Mallox ransomware (alternatively known as FARGO or TargetCompany) is a highly active distributed computer virus that mainly targets unprotected MS-SQL servers but can also infect computers via malicious email attachments.The main target of this malware is to encrypt all files on the target system, append .mallox extension to every file name, and drop notes demanding for a ransom payment. There are several versions of this ransomware, and the name of the ransom note varies. Some of the examples we have analyzed dropped notes named RECOVERY INFORMATION.txt or FILE RECOVERY.txt.
To illustrate how files are renamed during the computer attack, see this example: files previously named 1.jpg, 2.png and 3.docx will be renamed to 1.jpg.mallox, 2.png.mallox, 3.docx.mallox.
The malware also runs additional process to stop various services and programs in order to encrypt files associated with them. Another notable detail about this ransomware is that it stops GPS-related programs, which could mean that the virus possibly targets organizations working with critical infrastructure sectors.
This ransomware also steals information about the computer and sends it to its Command&Control server. Previous versions of this malware also claimed to have a data leak website, where the criminals would upload names of victimized companies and threaten to publish stolen data if the victims refused to pay a ransom.
Overview of the ransom notes
RECOVERY INFORMATION.txt
The most recent samples of Mallox ransomware dropped a ransom note named RECOVERY INFORMATION.TXT, which contains information on how to get a decryption tool from the cybercriminals. The note instructs to send an email to the provided email addresses: mallox.israel@mailfence.com
or mallox@tutanota.com. Interestingly, the latter email is also used in BOZON ransomware ransom note.
The note then explains that the computer user should include the personal ID string provided in the ransom note, as well as some encrypted files when contacting the criminals via email. They promise to decrypt some files and tell the price of full data decryption service. However, the note mentions that one should not send any valuable files for test decryption.
FILE RECOVERY.txt
Other Mallox ransomware samples dropped FILE RECOVERY.txt file, which contained slightly different information. Unlike the previous example, this ransom note asks to install TOR browser and contact the cybercriminals via provided .onion website. In order to login to the portal, the user has to specify the private key, which is provided in the ransom note.
The website contains a chat window along with information panel, which includes client information (victim’s ID, weight of the files, size of hdd, blog link, test decryption status), payment details (decryption tool price, amount paid, and the date of last transaction). Finally, there is a space to leave direct link to file to be decrypted by cybercriminals, along with a notification that the file cannot be larger than 3MB in size.
Our research revealed that the criminals typically ask $1000, $2000 or larger sums of money for Mallox file decryption tool.
If you have been affected by this malware, we strongly recommend for you to remove MALLOX ransomware virus using professional software like INTEGO Antivirus. Feel free to use the removal instructions provided below the article for guidance. In addition, you may want to download RESTORO, which is a good tool for repairing virus damage on Windows OS files.
Ransomware Summary
Name | MALLOX Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | FARGO/TargetCompany |
Extension | .mallox |
Cybercriminal emails | mallox.israel@mailfence.com, recohelper@cock.li, mallox@stealthypost.net, mallox.resurrection@onionmail.org, mallox@tutanota.com |
Damage | The ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .mallox extension. Ransom notes called as _FILE RECOVERY.txt or RECOVERY INFORMATION.txt will be dropped in every computer folder. The virus also threatens to publish data online if the victim refuses to pay the ransom. In addition, the malware loader downloads more malware to the system. |
Additional malware dropped | Snake keylogger, AgentTesla, Remcos |
Ransom note | _FILE RECOVERY.txt or RECOVERY INFORMATION.txt |
Ransom demand | $1000-$2000 or more in Bitcoin |
Distribution | Victims often download ransomware along illegal torrent downloads, cracked software, malicious online ads, email spam attachments. |
Detection names | Trojan:MSIL/AgentTesla.KA!MTB (Microsoft), Gen:Variant.MSILHeracles.48322 (B) (Emsisoft), HEUR:Trojan-Downloader.MSIL.Seraph.gen (Kaspersky), Gen:Variant.MSILHeracles.48322 (BitDefender), Trojan.Downloader.MSIL (Malwarebytes), MSIL.Packed.9 (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using trustworthy software like INTEGO Antivirus. To repair virus damage on Windows OS files, download and try RESTORO (secure download link). |
Intego Antivirus for Windows
Award-winning antivirus solution for your PC.
Robust security software that provides robust 24/7 real-time protection, Web Shield that stops online threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Keep your PC safe and protected against ransomware, Trojans, viruses, spyware and other forms of dangerous programs.
Ransomware distribution tactics and ways to stay protected
Reports show that Mallox ransomware is commonly distributed via phishing email trying to lure users into opening the email attachment. Therefore, computer user should be extremely vigilant and inspect each email with caution. If you have the slightest suspicion that the email sender isn’t the person or a company that the message claims to be from, do not interact with the email contents. Especially do not click on provided URLs or included attachments.
Additionally, this malware is known to target companies individually, and the way cybercriminals do it via cybersecurity vulnerabilities available in database servers. Additionally, they can use brute force and dictionary attacks to break into those systems and infect them.
Speaking of safety measures that need to be taken in order to protect yourself from Mallox ransomware attack, we recommend following these suggestions by our team:
- Be careful when checking your email.
- Keep your systems and devices protected with firewall and antivirus 24/7.
- Consider investing in cybersecurity training for your employees.
- Create data backups regularly.
- Enable automatic software and system updates on computers.
Remove MALLOX Ransomware Virus and Restore Your Data
In order to remove Mallox ransomware virus from the system, take some precautionary measures. The guide provided below explains how to prepare the computer for malware removal. If you’re undecided on which AV brand to trust when removing malicious files, consider INTEGO Antivirus option.
Once Mallox virus is removed, you can download RESTORO to repair damaged Windows system files. The best option for data recovery is data backups.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software.
REMOVE THREATS WITH ROBUST ANTIVIRUS
Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.
Use INTEGO Antivirus to remove detected threats from your computer.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MALLOX ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove MALLOX ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply