The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.
Cisco’s Talos cybersecurity team has been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the Laplas Clipper malware.
The detailed advisory by Talos states that, once a computer is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using qTox. For your information, qTox is an instant messaging app that is available for download via GitHub.
The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.
Upon opening the attachment, a multi-stage attack chain is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.
In case the email attachment drops Laplas Clipper alternatively, the victim’s cryptocurrency wallet is targeted. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses.
If one is found, it is sent to the attacker’s server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry. This, according to Cisco Talos’ blog post, allows the threat actors to receive the funds that the user attempts to transfer into their own wallet.
“The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.”
Cisco Talos Intelligence Group
The campaign has reportedly been targeting individuals, small businesses, and large corporations alike in the United States, England, Turkey, and the Philippines.
The best way to protect yourself from being affected by similar ransomware campaigns is to be wary of suspicious emails from services you use. Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments.
Keeping the nature of this ransomware campaign in mind, Cisco Talos also encouraged companies to remain vigilant when performing cryptocurrency transactions.