Merry X-Mas Ransomware Campaign Is Underway

At first sight, the ransom Trojan called Merry X-Mas, or MRCR, is quite a run-of-the-mill sample. It mutilates one’s personal files using a strong encryption algorithm and then demands a ransom to restore the hostage data. Upon closer scrutiny, though, this strain turns out to be a much more serious threat than it appears. It is accompanied by identity-stealing malware referred to as DiamondFox. This concomitant offending code is capable of collecting a victim’s passwords and other secret information, subsequently exfiltrating these sensitive details to criminals’ server.Although the distribution of the Merry X-Mas digital plague seems way overdue now that the Christmas theme isn’t relevant, it is on the rise and showing a potential to become more widespread. Moreover, the cyber crooks at the helm of this campaign have recently launched a new variant that appends the .merry extension to victims’ files. This edition also uses a new name for the ransom note, which is an application called Merry_I_Love_You_Bruce.hta.According to the instructions that the infection provides, a compromised user needs to send his or her personal ID to comodosec@yandex.com or submit it to the criminals’ Telegram account @comodosecurity. The ID indicated in the ransom manual is unique to every victim and consists of 32 hexadecimal characters. More detailed decryption directions will be received in a personal message. There is a time restriction to pay up, usually five days. The attackers claim to erase the private decryption key after this period expires.Despite the fact that the .merry file extension virus is shaping up to be a high-severity crypto infection, there is hope when it comes to defeating it. The Emsisoft software vendor released a free decryptor for this version. However, the perpetrators keep fine-tuning their code so that decryption tools become useless. One way or another, prevention is so much better than cure. So be sure to maintain backups and stay away from email spam.