Contents
Mallox ransomware (alternatively known as FARGO or TargetCompany) is a highly active distributed computer virus that mainly targets unprotected MS-SQL servers but can also infect computers via malicious email attachments.The main target of this malware is to encrypt all files on the target system, append .mallox extension to every file name, and drop notes demanding for a ransom payment. There are several versions of this ransomware, and the name of the ransom note varies. Some of the examples we have analyzed dropped notes named RECOVERY INFORMATION.txt or FILE RECOVERY.txt.
To illustrate how files are renamed during the computer attack, see this example: files previously named 1.jpg, 2.png and 3.docx will be renamed to 1.jpg.mallox, 2.png.mallox, 3.docx.mallox.
The malware also runs additional process to stop various services and programs in order to encrypt files associated with them. Another notable detail about this ransomware is that it stops GPS-related programs, which could mean that the virus possibly targets organizations working with critical infrastructure sectors.
This ransomware also steals information about the computer and sends it to its Command&Control server. Previous versions of this malware also claimed to have a data leak website, where the criminals would upload names of victimized companies and threaten to publish stolen data if the victims refused to pay a ransom.
The most recent samples of Mallox ransomware dropped a ransom note named RECOVERY INFORMATION.TXT, which contains information on how to get a decryption tool from the cybercriminals. The note instructs to send an email to the provided email addresses: mallox.israel@mailfence.com
or mallox@tutanota.com. Interestingly, the latter email is also used in BOZON ransomware ransom note.
The note then explains that the computer user should include the personal ID string provided in the ransom note, as well as some encrypted files when contacting the criminals via email. They promise to decrypt some files and tell the price of full data decryption service. However, the note mentions that one should not send any valuable files for test decryption.
Other Mallox ransomware samples dropped FILE RECOVERY.txt file, which contained slightly different information. Unlike the previous example, this ransom note asks to install TOR browser and contact the cybercriminals via provided .onion website. In order to login to the portal, the user has to specify the private key, which is provided in the ransom note.
The website contains a chat window along with information panel, which includes client information (victim’s ID, weight of the files, size of hdd, blog link, test decryption status), payment details (decryption tool price, amount paid, and the date of last transaction). Finally, there is a space to leave direct link to file to be decrypted by cybercriminals, along with a notification that the file cannot be larger than 3MB in size.
Our research revealed that the criminals typically ask $1000, $2000 or larger sums of money for Mallox file decryption tool.
If you have been affected by this malware, we strongly recommend for you to remove MALLOX ransomware virus using professional software like INTEGO Antivirus. Feel free to use the removal instructions provided below the article for guidance. In addition, you may want to download RESTORO, which is a good tool for repairing virus damage on Windows OS files.
Name | MALLOX Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | FARGO/TargetCompany |
Extension | .mallox |
Cybercriminal emails | mallox.israel@mailfence.com, recohelper@cock.li, mallox@stealthypost.net, mallox.resurrection@onionmail.org, mallox@tutanota.com |
Damage | The ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .mallox extension. Ransom notes called as _FILE RECOVERY.txt or RECOVERY INFORMATION.txt will be dropped in every computer folder. The virus also threatens to publish data online if the victim refuses to pay the ransom. In addition, the malware loader downloads more malware to the system. |
Additional malware dropped | Snake keylogger, AgentTesla, Remcos |
Ransom note | _FILE RECOVERY.txt or RECOVERY INFORMATION.txt |
Ransom demand | $1000-$2000 or more in Bitcoin |
Distribution | Victims often download ransomware along illegal torrent downloads, cracked software, malicious online ads, email spam attachments. |
Detection names | Trojan:MSIL/AgentTesla.KA!MTB (Microsoft), Gen:Variant.MSILHeracles.48322 (B) (Emsisoft), HEUR:Trojan-Downloader.MSIL.Seraph.gen (Kaspersky), Gen:Variant.MSILHeracles.48322 (BitDefender), Trojan.Downloader.MSIL (Malwarebytes), MSIL.Packed.9 (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using trustworthy software like INTEGO Antivirus. To repair virus damage on Windows OS files, download and try RESTORO (secure download link). |
Intego Antivirus for Windows
Award-winning antivirus solution for your PC.
Robust security software that provides robust 24/7 real-time protection, Web Shield that stops online threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Keep your PC safe and protected against ransomware, Trojans, viruses, spyware and other forms of dangerous programs.
Reports show that Mallox ransomware is commonly distributed via phishing email trying to lure users into opening the email attachment. Therefore, computer user should be extremely vigilant and inspect each email with caution. If you have the slightest suspicion that the email sender isn’t the person or a company that the message claims to be from, do not interact with the email contents. Especially do not click on provided URLs or included attachments.
Additionally, this malware is known to target companies individually, and the way cybercriminals do it via cybersecurity vulnerabilities available in database servers. Additionally, they can use brute force and dictionary attacks to break into those systems and infect them.
Speaking of safety measures that need to be taken in order to protect yourself from Mallox ransomware attack, we recommend following these suggestions by our team:
In order to remove Mallox ransomware virus from the system, take some precautionary measures. The guide provided below explains how to prepare the computer for malware removal. If you’re undecided on which AV brand to trust when removing malicious files, consider INTEGO Antivirus option.
Once Mallox virus is removed, you can download RESTORO to repair damaged Windows system files. The best option for data recovery is data backups.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MALLOX ransomware virus Removal Guidelines
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
Now, you can search for and remove MALLOX ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
KIFR ransomware attack: how does this malware affect data stored on computers? KIFR is a…
If you're running into the "The User Profile Service failed the logon/sign in" message when…
JYPO virus arrives to encrypt files on computers JYPO ransomware is a harmful computer virus that…
JYWD virus attacks files stored on computers and encrypts them JYWD virus is a ransomware-type…
TYPO ransomware operators attempt to extort computer users TYPO ransomware is a computer virus that…
TYOS ransomware: a file-encrypting menace to computer users TYOS ransomware is a malicious computer virus…
This website uses cookies.