Introduction  

In a surprising turn of events, Kryptina, a once-overlooked ransomware tool has resurfaced as a key player in enterprise cyber-attacks. Being a Ransomware-as-a-Service (RaaS) platform, it has been adopted by "Target company", the affiliates of the notorious Mallox ransomware group, highlighting the evolving nature of cybercrime.

Initially released in December 2023, Kryptina's popularity waned among cybercriminals. However, a recent data leak exposed its use by a Mallox ransomware group affiliates have adopted and modified Kryptina to launch Linux-based ransomware campaigns.

Labeled as "Mallox v1.0," this updated version of Kryptina preserves its original functionalities while removing its previous branding, underscoring the increasing commoditization of ransomware tools in the cybercriminal ecosystem. This report explores the emergence of Mallox v1.0, its utilization of Kryptina’s core capabilities, and the broader impact on enterprise cybersecurity defenses.  

‍The Kryptina-Mallox Connection

Mallox, is a well-established ransomware-as-a-service (RaaS) operation that has been targeting enterprises since 2021. Renowned for its opportunistic approach, Mallox often exploits recently disclosed vulnerabilities, such as those affecting Microsoft SQL Server, to gain initial access to target systems.  

Mallox ransomware has targeted a variety of countries and industries, demonstrating its indiscriminate approach to victims. Some notable examples include India, France, Portugal, Saudi Arabia, the United States, Brazil, and other nations. This ransomware has affected organizations in manufacturing, food and beverage, retail, transportation, government, IT, media and entertainment, business services, education, and consulting.

In December 2023, a new RaaS tool, Kryptina, was introduced by an entity named “Corlys” for $500, which later increased to $800. However, in February 2024, Corlys abruptly ceased sales and released the full source code of Kryptina on BreachForums, making it accessible to a wider range of cybercriminals.  

A staging server, set up by a Mallox affiliate, was discovered in May 2024. This server contained a collection of tools and resources used for the group's ransomware operations, including payloads and builder tools.  

The compromised staging server, located at 185[.]73[.]125[.]6, contained a variety of resources related to the Mallox ransomware operation. These resources included archives and payloads specifically designed for the Windows version of Mallox. Surprisingly, the server also hosted the modified source code for Kryptina, the ransomware-as-a-service platform. This suggests that the affiliate had access to and modified the Kryptina platform to create their own Linux-based variant of Mallox.  

It's important to note that this particular Mallox affiliate appears to be the only one using Kryptina. Other Linux variants of Mallox are not based on this platform, further complicating the understanding of the relationship between Mallox and Kryptina.  

This suggests that the Mallox affiliate merely altered the branding and name, stripping away any references to Kryptina in ransom notes, scripts, and files, while simplifying the original documentation into a "lite" version, leaving the core functionality intact.

Despite rebranding efforts, the Mallox affiliate's ransomware tool retains many of the core elements of Kryptina. The ransom note templates, originally designed for Kryptina, have been modified to remove references to the platform and replace them with "Mallox v1.0."

The original scripting_demo.py file in Kryptina offered threat actors a streamlined method for building Linux payloads directly via the command line, with a template that includes all necessary fields. This enables rapid, automated payload creation. Although these scripted builds don’t appear in the web UI, the script remains a valuable tool for threat actors aiming to automate and expedite the creation of new builds over time. The scripting_demo.py file has only undergone minor updates, primarily to rebrand it under Mallox instead of Kryptina.

Technical Analysis

Both Kryptina and Mallox offer a variety of build modes, including:  

• demo: Creates a basic version of the ransomware without encryption.

• debug: Provides detailed debugging information.

• symbols: Includes debug symbols for debugging purposes.

• arch32: Generates a 32-bit payload.

Additionally, both tools allow for customization of various parameters, such as:  

• XOR key: The key used to encrypt the configuration data within payloads.

• Thread count: The number of threads used during the encryption process.

• Persistence: Whether the ransomware should delete itself after execution.

• Max file size: The maximum size of files to be encrypted.

• Secure deletion: Whether to use secure deletion methods to overwrite deleted files  

Victim-Specific Payload Configuration

The May 2024 affiliate leak revealed output folders for 14 potential ransomware targets, each with a unique subfolder. Some folders contain config.json files along with corresponding encryptor/decryptor binaries, while others are empty, indicating incomplete payloads. The configuration files include fields for payment type, addresses, encryption keys, and ransom note templates. Seven subfolders have completed payloads with all targets sharing the same Bitcoin address (BTC 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3) and other repeated values like "key," "bitcoin," and the extension .lmallox.  

Beyond the Linux-based Mallox 1.0 ransomware, the affiliate's server revealed a diverse array of tools and resources. These included a tool to potentially disable Kaspersky security, exploit code for CVE-2024-21338, a Windows privilege escalation vulnerability, PowerShell scripts for elevating privileges, Java-based applications for delivering the Mallox payload, disk image files containing payloads for various system architectures, and folders containing configuration data for 14 potential victims. This demonstrates the affiliate's comprehensive toolkit for targeting both Linux and Windows systems and their ability to leverage a variety of techniques to gain initial access and escalate privileges.

MITRE ATT&CK TACTICS AND TECHNIQUES  

‍

Conclusion

The Kryptina-based Mallox variants are affiliate-specific and separate from other Linux versions, illustrating the increasing complexity of ransomware ecosystems. Originally a free, underutilized RaaS tool, Kryptina’s adoption by Mallox affiliates signals a significant enhancement for the group and underscores the growing trend of ransomware commoditization.

Sources Cited:  

1. ‍https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/  
2. ‍https://www.infosecurity-magazine.com/news/kryptina-ransomware-resurfaces/  
3. ‍https://www.infosecurity-magazine.com/news/mallox-ransomware-deployed-via-ms/  
4. ‍https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-targetcompany  
5. ‍https://securelist.com/mallox-ransomware/113529/  
6. ‍https://www.blackhatethicalhacking.com/news/mallox-ransomware-targets-linux-systems-with-modified-kryptina-code/
7. ‍https://www.rewterz.com/threat-advisory/new-linux-version-of-mallox-ransomware-based-on-leaked-kryptina-code-active-iocs
8. ‍https://cybersecsentinel.com/mallox-ransomware-expands-targeting-to-linux-systems/

‍