Threat Database Ransomware MERIN Ransomware

MERIN Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 1
First Seen: January 10, 2013
Last Seen: January 27, 2021
OS(es) Affected: Windows

While the Nefilim Ransomware is not among the most prolific ransomware families, it is apparent that cybercriminals are still using it to create new crypto locker threats. One of the latest variants of the Nefilim Ransomware that was detected by infosec researchers is called the MERIN Ransomware.

If the MERIN Ransomware infiltrates the target's computer successfully, it proceeds to lock the user out by encrypting the stored files with potent cryptographic algorithms. As a result, all of the most popular filetypes such as pictures, audio, video, databases, documents, etc. will be rendered unusable and inaccessible. Every file locked in this manner will have '.MERIN' appended to its original name. The threat will then drop a text file called 'MERIN-DECRYPTING.txt' in every folder containing encrypted data. These files carry the instructions left by the hackers.

According to the ransom note, victims of MERIN Ransomware should establish contact with the criminals through three provided email addresses:


Two files can be attached to the emails to be decrypted for free.

To further scare their victims into complying with the demands, the hackers threaten that MERIN Ransomware has exfiltrated sensitive data that is now under their control. If the affected users do not initiate communication, parts of the collected information will start to be leaked by the hackers. A website has been created specifically for that purpose.

The full text found in the 'MERIN-DECRYPTING.txt' files is:

'Two things have happened to your company.


All of your files have been encrypted with military-grade algorithms.

The only way to retrieve your data is with our software.

Restoration of your data requires a private key which only we possess.


Information that we deemed valuable or sensitive was downloaded from your network to a secure location.

We can provide proof that your files have been extracted.

If you do not contact us we will start leaking the data periodically in parts.


To confirm that our decryption software works email to us 2 files from random computers.

You will receive further instructions after you send us the test files.

We will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.

If we do not come to an agreement your data will be leaked on this website.

Website: htxxp://

TOR link: hxxp://hxt254aygrsziejn.onion

Contact us via email:' 

The hackers behind Merin do more than just encrypt files, however. The virus also exfiltrates sensitive data to an external server. The hackers threaten to leak the information, including product details, corporate secrets, and employees' personal information if they don't get the money they want. Merin ransomware attacks should be considered a data breach event.

Use Backups to Restore Merin Files

The group behind Nefilim entered the cybersecurity bubble in August 2019 with the Nemty ransomware. Security experts created a decryption tool that hit the cybercriminals hard. The group went back to the drawing board, created new malware, targeted well-known corporations, and extorted large sums of money.

The Merin ransomware was discovered by the security researcher SiRi in mid-October 2020. The attackers hide their attack as long as possible, not declaring their intentions until they have moved across the network, stolen important information, and disabled security solutions. At this time, the virus steals company documents and sends them to attackers' servers to be leaked. The data is published on a website hosted by the virus operators if victims fail to pay the ransom demand.

The potential threat of data leaks is enough to convince most victims to pay and restore their files from a backup. Unfortunately, there are many cases where these backups are also encrypted. There are also many cases where people haven't created backups in the first place. The encryption process's security means that there is no option for file recovery other than using a backup.

There are some rare cases where victims can restore at least some of the data using System Restore or data recovery software. Still, the only sure way to decrypt files and remove the MERIN file extension is with the attackers' decryption key.

There's also the issue that data breaches are a serious security threat for any business. Severe data breaches can lead to all kinds of problems, including bankruptcy. Security experts and law enforcement are torn over whether or not victims should make the ransom payment. On the one hand, making the payment could be the only way to keep the business afloat. On the other, it also encourages the attackers to find new targets and validates their way of making money.


Most Viewed