TargetCompany/Mallox Ransomware (.tohnichi, .mallox, .xollam) Support Topic

This looks like the ransom note contents we have seen with Maoloa-Alco Ransomware. 
 
Maoloa-Alco Ransomware typically will leave files (ransom notes) named HOW BACK YOUR files.txt, !INSTRUCTI0NS!.TXT, HOW TO BACK YOUR FILES.txt, !!! HOW TO BACK YOUR FILES !!!.TXT . Some of the newer variants include a special file named ids.txt or a .TXT file with hexadecimal characters such as .DF7ADA61E0284DDD4F1E, .BFC0E91B00AE8A0620D3, .C4D1664EF40CE18F8D41 in the C:\Users\User\AppData\Local\Temp folder and C:\Users\User\Desktop\.
 
What did ID Ransomware (IDR) say?

This looks like the ransom note contents we have seen with Maoloa-Alco Ransomware. 
 
Maoloa-Alco Ransomware typically will leave files (ransom notes) named HOW BACK YOUR files.txt, !INSTRUCTI0NS!.TXT, HOW TO BACK YOUR FILES.txt, !!! HOW TO BACK YOUR FILES !!!.TXT . Some of the newer variants include a special file named ids.txt or a .TXT file with hexadecimal characters such as .DF7ADA61E0284DDD4F1E, .BFC0E91B00AE8A0620D3, .C4D1664EF40CE18F8D41 in the C:\Users\User\AppData\Local\Temp folder and C:\Users\User\Desktop\.
 
What did ID Ransomware (IDR) say?

My desktop left this TXT document "RECOVERY INFORMATION".

This looks like the ransom note contents we have seen with Maoloa-Alco Ransomware. 
 
Maoloa-Alco Ransomware typically will leave files (ransom notes) named HOW BACK YOUR files.txt, !INSTRUCTI0NS!.TXT, HOW TO BACK YOUR FILES.txt, !!! HOW TO BACK YOUR FILES !!!.TXT . Some of the newer variants include a special file named ids.txt or a .TXT file with hexadecimal characters such as .DF7ADA61E0284DDD4F1E, .BFC0E91B00AE8A0620D3, .C4D1664EF40CE18F8D41 in the C:\Users\User\AppData\Local\Temp folder and C:\Users\User\Desktop\.
 
What did ID Ransomware (IDR) say?

It looks like IDR made the detection based on the ransom note email. We will need to wait for Demonslay335 to review this information.

Edited by Amigo-A, 21 February 2022 - 01:48 AM.

 

This is TargetCompany Ransomware

 

Such elements were used by them from October to January. They have long departed from using the name of the affected company and are confusing.

 

The extension can now be anything, and the pattern can be written like this:

.<target_company>

.<target_pc>

.<known_name>

It probably won't last long and they will change the extension again soon.

 

Is there any chance of decryption

As you know, Avast released a decryptor, but now the version of the ransomware-encryptor may already be different.

@xuedj

Since the infection has been confirmed, your topic has been merged with the primary support topic.

  I used the "avast_decryptor_targetCompany64" tool to decrypt it. After the third step, I have to enter a password to proceed to the next step, but I have not decrypted it before, so there is no password,

You just click on "Next" and go from there. 

 

  I used the "avast_decryptor_targetCompany64" tool to decrypt it. After the third step, I have to enter a password to proceed to the next step, but I have not decrypted it before, so there is no password,

You just click on "Next" and go from there. 

 

The next button is no longer clickable, probably because there is no such extension in the decryptor, so it is not regarded as an encrypted file

It may not be a supported extension. It is not uncommon for some ransomware decrypters to work only on certain extensions pertaining to a specific ransomware.

It may not be a supported extension. It is not uncommon for some ransomware decrypters to work only on certain extensions pertaining to a specific ransomware.

After decryption, what can I do to prevent it from being hacked again? I'm going to format the hard disk, redo the RAID and install the system, ok? Could this ransomware be in memory? I'll re-hack the system when I'm done installing it. Is there any way to clean up the memory as well?

After decryption, what can I do to prevent it from being hacked again? I'm going to format the hard disk, redo the RAID and install the system, ok?

 

Edited by Amigo-A, 22 February 2022 - 03:01 AM.

 

After decryption, what can I do to prevent it from being hacked again? I'm going to format the hard disk, redo the RAID and install the system, ok?

 

There cannot be a clear answer here.

Security depends on many factors, for the most part, you must analyze errors yourself and eliminate vulnerabilities in PC and network security.

---

In cases of ransomware attacks, the use of RAID shows all its uselessness. Both drives now have the same encrypted files instead of the originals.

It may be better to abandon such a scheme and divide the disks in order to store the most valuable files on the second disk, which should be unplugged most of the time.

 

ok,Thank you for your advice, later I regularly do cold backup process to reduce the loss

Hello. This is my first post here. I need help about this ransomware. That hacker made another ransomwares before. I searched and find a ransomware name with ".mallox" and ı think this is a new ransomware from the same hacker. I looking a solution for hours. I looked everywhere. And ı cannot find a solutions. I'm uploading an example file and the hacker's note and waiting for help. I'cant attach files from here I think because of permissions. Thank you.

example file and hackers note:

https://s7.dosya.tc/server21/t6fkzk/RECOVERY_INFORMATION.rar.html