MortalKombat Ransomware Has Ties to Xorist to Steal Cryptocurrency

Starting from December 2022, researchers with Cisco Talos have been monitoring an unknown entity that has been using two pieces of recently discovered malicious software - MortalKombat ransomware and a GO variant of Laplas Clipper malware - to steal cryptocurrency from its victims.

The attackers were seen scanning the internet for vulnerable machines with an exposed remote desktop protocol on port 3389, using a download server that runs an RDP crawler and also facilitates the MortalKombat ransomware. Based on the analysis of the code, class name, and registry key strings, Talos believes that MortalKombat ransomware is a part of the Xorist family.

The attackers have been targeting individuals, small and large businesses, and demanding ransom payments in cryptocurrency, which provides them with several benefits, such as anonymity, decentralization, and lack of regulation, making it difficult to track them. Talos suggests that users and organizations should be careful while performing cryptocurrency transactions and pay attention to the recipient's wallet address.

It also recommends updating computers with the latest security patches, deploying robust endpoint protection solutions with behavioral detection capabilities, and keeping tested, offline backup solutions for endpoints with a reasonable restoration time in case of a ransomware attack.

MortalKombat Infection Chain

In this particular campaign, a phishing email is used as the initial infection vector, which triggers a complex attack chain where the attacker deploys either ransomware or malware, and then removes all traces of malicious activity to avoid detection and analysis.

The phishing email contains a malicious ZIP file that includes a BAT loader script. When the victim runs the script, it downloads another harmful ZIP file from a server controlled by the attacker, automatically unzips it, and runs the payload, which could be either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The BAT loader script executes the dropped payload on the victim's computer and then eliminates all traces of the downloaded and dropped malicious files, leaving no evidence of the infection.

The primary method of infection for this attack is through a phishing email, where the perpetrators pretend to be CoinPayments, a legitimate cryptocurrency payment gateway. They use a spoofed email address, "noreply at CoinPayments dot net," and the subject of the email is "[CoinPayments dot net] Payment Timed Out." The email also includes a malicious ZIP file attachment with a filename similar to a transaction ID referenced in the email's content, leading the recipient to believe it's genuine. The attachment contains a harmful BAT loader, which is activated when the user unzips the file to view its contents.

How Can You Protect Your System from Ransomware Attacks?

Ransomware attacks can be devastating, resulting in the loss of sensitive data and a significant financial cost. To protect your system from ransomware attacks, you can follow these steps:

  • Backup your data: Regularly back up your data to an offline device, such as an external hard drive, and test the backup to ensure it works correctly.
  • Keep your software updated: Install security updates and patches for your operating system and software applications as soon as they become available.
  • Use antivirus software: Install and regularly update antivirus software to detect and remove any malware that may be present on your system.
  • Be cautious when opening email attachments: Do not open email attachments from unknown senders or those that you were not expecting.
  • Use strong passwords: Use unique, strong passwords for all accounts and change them regularly.
  • Enable two-factor authentication: Enable two-factor authentication on all accounts that offer it for an additional layer of security.
  • Be cautious of suspicious links: Do not click on links from untrusted sources, especially those sent in emails or text messages.
By Zaib
February 16, 2023
Ransomware
English
February 16, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Ransomware

Bruhnet Ransomware Uses Xorist Code

Bruhnet ransomware is a new ransomware strain that was spotted in the wild in mid-September 2022. The new variant belongs to the family of Xorist ransomware clones. Bruhnet behaves like all recent Xorist clones. It... Read more

September 16, 2022
Ransomware

Ety Ransomware is a New Xorist Clone

A new ransomware strain based on Xorist ransomware code was discovered in late 2022. The new variant is called the Ety ransomware. Ety encrypts files on the target system and leaves them in a scrambled state.... Read more

November 29, 2022
Ransomware

Zenya Ransomware is a New Clone of Xorist

There is a new variant of the Xorist ransomware that was recently discovered by security researchers. The new version of Xorist is called the Zenya ransomware. Zenya doesn't do anything revolutionary compared to other... Read more

September 1, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.