MTX Ransomware

The Dharma ransomware family continues to remain popular among cybercriminals with new variants being regularly released in the wild. One such recent example is the MTX Ransomware threat. It operates in an identical manner to the typical Dharma variants without exhibiting any major deviations.

MTX Ransomware's Behaviour

Once fully established on the targeted computer system, MTX initiates its encryption programming that targets a large number of different file types. As a result of the ransomware's actions, affected users will be prevented from accessing any of their documents, archives, databases, PDFs, pictures, photos, etc., that were stored on the breached device.

When MTX locks a file, it also modifies that file's original name. First, the threat adds a unique string acting as the ID assigned to the specific victim. Then, an email address under the control of the attackers is appended. In this case, the email is 'mtx88@onionmail.org.' Finally, a new file extension - '.MTX,' is added to the name of the encrypted file.

The last step is to deliver a ransom note with instructions for the victim. MTX actually drops 2 different ransom-demanding messages on the infected systems. One will be placed inside a text file named 'info.txt.' The file will be created on the desktop of the system. The other ransom note will be displayed in a pop-up window.

Ransom Note Overview

The instructions from the text file are extremely brief and lack most of the important details that are usually found in such notes. Users are simply told to initiate contact with the cybercriminals by sending a message to either 'mtx88@onionmail.org' or 'mtx88@reddithub.com.'

The pop-up window delivers the main message from the hackers. It states that the secondary email address should not be used immediately. Victims are supposed to first message the primary email and wait for at least 12 hours to get an answer there. The note also warns that renaming or trying to decrypt the locked files without paying the hackers could damage the data inadvertently and render the files unsalvegeable.

MTX Ransomware's message delivered in via pop-up window:

YOUR FILES ARE ENCRYPTED
1024

Don't worry, you can return all your files!
If you want to restore them, write to the mail: mtx88@onionmail.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:mtx88@reddithub.com

ATTENTION!

We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

MTX Ransomware's instructions in the text file:

all your data has been locked us
You want to return?
write email mtx88@onionmail.org or mtx88@reddithub.com