A new variant of the Mallox ransomware, known as Mallox Linux 1.0, has been discovered targeting Linux systems, marking a significant shift for the previously Windows-exclusive malware operation. According to cybersecurity researchers at SentinelLabs, this Linux variant is based on the leaked source code of Kryptina, a low-cost ransomware-as-a-service (RaaS) platform that initially failed to gain popularity. The shift to Linux represents an evolution in tactics for Mallox, which now has its sights set on both Linux and VMware ESXi systems, broadening the scope of its attacks.
Kryptina was originally launched in late 2023 as an affordable RaaS platform for Linux-based attacks. However, in early 2024, its administrator, known by the alias “Corlys,” leaked the source code for free on hacking forums after Kryptina failed to gain traction in the cybercrime community. This leak provided cybercriminals with an opportunity to modify and adopt the ransomware for their own purposes. The Mallox affiliate seized this chance, incorporating Kryptina’s core functionality into the newly branded Mallox Linux 1.0 while making only superficial changes, such as updating the appearance and removing references to Kryptina in the ransom notes.
Mallox Linux 1.0 retains the key technical components of Kryptina, including the AES-256-CBC encryption mechanism and decryption routines, while using the same command-line builder and configuration parameters. This allows the ransomware to lock and encrypt files on targeted Linux systems with minimal effort. Researchers also uncovered a variety of additional tools on the threat actor’s exposed server, including a Kaspersky password reset tool, privilege escalation exploits for Windows, and data folders containing potential victim information.
It remains unclear whether Mallox Linux 1.0 is being deployed by a single affiliate or multiple actors within the Mallox ransomware operation. However, its existence signals the growing threat of ransomware targeting diverse operating systems. The expansion to Linux highlights the increasing sophistication of ransomware groups and the risks posed by the use of leaked source code, further underscoring the need for organizations to implement comprehensive security measures across both Windows and Linux environments.
