HQ/EMEAFind out how we can help your business
A new ransomware variant called MortalKombat has been spotted striking organisations in the US, the UK, Turkey, and the Philippines. This new ransomware was first seen in the wild last January and was dubbed its name due to its operator dropping a Mortal Kombat image wallpaper on affected machines.
According to the researchers, the ransomware variant can encrypt various files in an infected machine, including backups, applications, databases, VM files, systems, and remote locations mapped as logical drives.
The MortalKombat ransomware operators scan the internet for publicly exposed RDPs.
In a report, the researchers also indicated that the operators of the new ransomware variant have been scanning the web to look for organisations’ publicly exposed remote desktop protocols (RDP). These exposed RDPs allow attackers to enter vulnerable networks of individuals or organisations and infect their machines with ransomware.
Aside from infiltrating exposed RDPs, another attack vector of the threat actors is a phishing campaign involving an attached malicious ZIP file on emails containing MortalKombat or the Laplas Clipper.
Once inside a machine, the malware will begin its processes, such as changing the computer’s wallpaper into a MortalKombat image, corrupting Windows Explorer, and uninstalling applications. Then, the malware will delete itself to evade threat analysis and detection.
In one phishing email discovered, the threat actors impersonated a cryptocurrency payment gateway called ‘CoinPayments,’ tricking the targeted recipients into opening malicious ZIP attachments. In communicating with the targets, the attackers used the qTOX messaging app and an email address of hack3dlikeapro[at]proton[.]me.
Based on close observations, the analysts noticed a few familiar codes implying that the MortalKombat ransomware belongs to the Xorist ransomware family, which typically targets Windows OS.
The analysts also added that all of Xorist’s ransomware variants had been customised versions of one another to create new malware strains under different names, ransom notes, and encryption file extensions. This tactic will also aid malicious operators in hiding tracks from security researchers.
