M0rphine Ransomware

The M0rphine Ransomware is a brand-new ransomware threat detected by malware researchers. Ransomware is a very popular malware threat as they are not very difficult to build and can aid a cyber crook into making a quick buck.

Propagation and Encryption

Authors of ransomware threats use several propagation methods to distribute their threatening creations. Some of these infection vectors would include:

• Mass spam email campaigns – Users would receive an email that contains a fake message, which urges them to open the corrupted attached file. Often, the attached file is macro-laced and would exploit certain vulnerabilities in the Microsoft Office service.
• Torrent trackers – It is advisable to avoid any pirated content or websites that host illicit materials as they are often used by cyber crooks to propagate malware.
• Corrupted advertising – Advertisements that would mislead users into installing unsafe software onto their systems.

Regardless of the propagation method, the M0rphine Ransomware would make sure to scan your system as soon as it manages to infiltrate it. The goal is to locate your files. Next, the M0rphine Ransomware triggers its encryption process. This nasty Trojan would make sure to lock almost all files present on the infected host – images, documents, audio files, videos, spreadsheets, databases, archives, etc. The newly locked files would receive an additional extension - '[ID-] -[EMAIL-M0rphine@cock.li].M0rphine.' Every user that is affected by the M0rphine Ransomware would receive a uniquely generated victim ID, which helps the cybercriminals to differentiate between the victims.

As mentioned above, M0rphine infects computers and encrypts data on a computer. Users can’t open infected files, and they have a new file extension that includes the name of the ransomware and email address of the attackers. The new filename also includes the unique ID a victim will need to quote to get the decryption key, according to the ransom note. A file called “doc1.doc” would become something like “doc1.doc. [ID-764E0CF4DF4828D6303F40B19514805A] -[EMAIL-M0rphine@cock.li].M0rphine.

The Ransom Note

In the next phase of the attack, the M0rphine Ransomware drops a ransom note on the infected host. The ransom message of the attackers is contained in a file named '# M0rphine Help #.hta.' The attackers' ransom note is spawned in a new window. In it, the attackers explain what has happened to the victim's files and state that the users need to acquire a decryption key to recover their files. The authors of the M0rphine Ransomware do not mention a specific ransom fee – it is likely that this information is shared with the users once they get in touch with the attackers. The creators of the M0rphine Ransomware offer to unlock three files free of charge, as long as they are not bigger than 1MB in size. There is an email address listed as a means of communication – ‘M0rphine@cock.li.'

The M0rphine Ransomware ransom note reads like the following:

Attention!

Your documents, photos, databases and important files have been encrypted cryptographically strong, without the cipher key recovery is impossible!

To decrypt your files you need to buy the special software - M0rphine Decryptor and your Private Decryption Key.

Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.

If you want to restore files, write us to the our email: M0rphine@cock.li

Please write your Personal Identification Code in body of your message.

Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content)

It is in your interest to respond as soon as possible to ensure the restoration your files!

Your personal Identification Code:

The message tells victims that their documents, databases, pictures, videos, and other files are encrypted. The note also explains that a victim can only get their data back by purchasing one of the decryption keys and the decryption software from the attacker. Users should write to the email address in the message for further instructions. The victim is to include the unique ID assigned to them in communications.

The note implies the attackers are magnanimous, claiming that they will decrypt up to three files for free. The test files should be less than 1 MB each and have no valuable information. This is done as a show of faith that the encryption software does work, and implants a false sense of security in victims. The note also mentions that it would be impossible to try and decrypt the data manually – and that doing so could cause permanent data loss.

It is an unfortunate truth of ransomware that it is often impossible to decrypt lost data without interference from the attackers. Security researchers may be able to compile a public decryptor that works for everyone, but only in cases where the ransomware has flaws that can be exploited.

Either way, one should never pay the ransom demand to the attackers. There is no guarantee that you will get the decryption tools you have been promised. There have been many cases where victims don’t get the tools and find themselves falling victim to scams. The only way to safely restore your data would be to use an external backup. You may still be able to restore some data if you don’t have a backup, but it does complicate the process.

How to Protect Against M0rphine
There are many different kinds of ransomware to watch out for. The main difference between them is the size of the ransom demand and their method of encryption. Ransom demands can reach up to four-figures. Here are some tips on how malware like this spreads and how you can protect yourself against it.

The most common distribution vectors for ransomware are Illegal downloads, malicious email attachments, and compromised websites. These attack patterns haven’t changed much, mostly because they are still effective.

Avoid contacting cyber crooks as there is nothing to gain from trying to bargain with them. You may not receive the decryption key you need, even if you pay the ransom fee the attackers demand. Instead, consider investing in a legitimate anti-malware suite, which will aid you in removing the M0rphine Ransomware from your system safely.