Mlap Ransomware Locks Files
While conducting an analysis of new file samples, we identified the existence of the Mlap ransomware, which is a part of the Djvu ransomware family. This malicious software is responsible for encrypting data and appending the ".mlap" extension to files that have been compromised. Once the encryption process is complete, Mlap leaves behind a ransom note named "_readme.txt."
Mlap consistently follows a specific naming pattern when it alters the filenames of the files it encrypts. For instance, it changes "1.jpg" to "1.jpg.mlap" and converts "2.png" to "2.png.mlap." Being a member of the Djvu family, Mlap could potentially be distributed alongside information stealers like RedLine and Vidar.
The ransom note provided by Mlap ransomware includes two email addresses (support@freshmail.top and datarestorehelp@airmail.cc) and offers victims the option to acquire decryption software and a decryption key. Initially, the cost for these decryption services is set at $980.
However, if victims contact the threat actors within a 72-hour window, they are given the opportunity to purchase the decryption tools at a reduced rate of $490. Furthermore, the ransom note mentions that victims have the choice to provide one encrypted file for decryption free of charge, with the stipulation that the file should not contain any valuable data.
Mlap Ransom Note Demands Relatively Modest Ransom
The full text of the Mlap ransom note reads as follows:
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-xN3VuzQl0a
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
support@freshmail.topReserve e-mail address to contact us:
datarestorehelp@airmail.ccYour personal ID:
How Can Ransomware Like Mlap Propagate Online?
Ransomware, like Mlap, can propagate online through various methods and attack vectors. These methods typically rely on tricking users or exploiting vulnerabilities in computer systems. Here are some common ways in which ransomware can spread:
- Phishing Emails: Phishing emails are a common vector for ransomware distribution. Attackers send convincing-looking emails that contain malicious attachments or links. When users open these attachments or click on the links, it can lead to the download and execution of ransomware on their system.
- Malicious Attachments: Ransomware can be distributed via email attachments, often in the form of infected documents (e.g., Word or Excel files) or executable files (e.g., .exe). These attachments may exploit vulnerabilities in software to execute the ransomware.
- Malvertising: Attackers can compromise legitimate online advertising networks to display malicious ads that lead to ransomware downloads when clicked. Users may encounter these malicious ads while browsing websites.
- Drive-By Downloads: Some websites may be compromised or set up specifically to deliver ransomware through drive-by downloads. When users visit such websites, the ransomware is silently downloaded and executed on their system without their knowledge or consent.
- Exploiting Vulnerabilities: Ransomware authors often look for vulnerabilities in operating systems, software, or network devices. If they find a vulnerability that hasn't been patched or updated, they can use it to gain access to a system and deploy ransomware.
- RDP (Remote Desktop Protocol) Attacks: Attackers can exploit weak or default credentials for remote desktop connections to gain access to a network. Once inside, they can deploy ransomware on multiple systems within the network.
- Watering Hole Attacks: In a watering hole attack, attackers compromise websites that are frequented by their target audience. When users visit these compromised sites, they may unknowingly download ransomware onto their devices.
