Any files that are encrypted with TargetCompany/Mallox Ransomware will have a .tohnichi, .artiis, .herrco, .mallox, .brg, .architek, .herrco, .exploit, .carone, .avast, .consultransom, .devicZz, .bozon, .acookies, .bozon3, .FARGO, .Fargo3, .milovski, .xollam, .bitenc, .malox, .mawahelper, .brocamel, .encrypted, .malloxx, .ma1x0 extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) named How to decrypt files.txt, HOW TO RECOVER !!.TXT, RECOVERY INFORMATION.txt, FILE RECOVERY.txt, RECOVERY INFORMATION !!!.txt, RECOVERY FILES.txt, How to decrypt files.txt, as explained here by Amigo-A (Andrew Ivanov).
TargetCompany Ransomware encrypts user data using a combination of ChaCha20, AES-128, Curve25519 algorithms.
Avast released a free TargetCompany Ransomware utility for victims of this ransomware which may restore encrypted files under certain circumstances. However, the criminals changed the encryption process for newer variants so the Avast decryptor does not support all variants. If you have 64-bit Windows, choose the 64-bit build (avast_decryptor_targetcompany64.exe); If you have 32-bit Windows, chose the 32-bit build (avast_decryptor_targetcompany.exe). Run the executable file to start the decryptor which leads you through the configuration of the decryption process.
If the Avast decryptor does not work on the variant which infected your files, rivitna (Andrey Zhdanov) may be able to help some victims of older variants. rivitna has provided a public link to the Mallab Decryptor for victims infected by several variants.
This decryptor brutes decryption key.
To get the decryption key, you need run the decryptor on the compromised computer (!).MallabDecryptorEx.exe -type <ENCTYPE> -key <ENCFILE>ENCTYPE: old_mallox *.mallox (from October 2022 to March 2023) old_xollam *.xollam (January 2023) bitenc *.bitenc (January 2023) malox *.malox (from April 2023 to July 2023) mallox *.mallox (August 2023) xollam *.xollam (August 2023) malloxx *.malloxx (August 2023) mallab *.mallab (from September 2023 to October 2023) (by default) ENCFILE - any encrypted file.If successfully, 'keys.bin' will be created. You don't need to do this stage anymore.
If Windows is reinstalled or the system disk is formatted, the key can also be bruted. In this case write me.
Here is the list of Mallox samples supported by the decryptor.
https://github.com/rivitna/Malware/blob/main/Mallox/Supported_samples.txt
To brute the decryption key, you need run the decryptor only on the compromised computer!!!
If Windows has been reinstalled or if the system disk has been formatted, the key can also be bruted.
In these cases, write to me.
If you have become a victim of the "corporate" version of Mallox, also write to me.
The decryptor can't brute the key, if Windows has been reinstalled or if the system disk has been formatted.
The decryptor doesn't also brute the key, if attackers used the "corporate" version of Mallox.
My files were ENCRYPTED by the virus. I checked each encrpted file。
The encrypted file has two characteristics, one is that the file is 88 bytes longer than the original file. The second is that the last 32 bytes of each file are the same. any one can help me? thanks a lot
Back to top
