Good news for the victims of the recently discovered MortalKombat ransomware, the antivirus firm Bitdefender has released a free decryptor that will allow them to recover their file without paying the ransom.
Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated threat actor deploying two new malware, the MortalKombat ransomware and a GO variant of the Laplas Clipper malware.
The similarities in code, class name, and registry key strings, led the experts in assessing with high confidence that the MortalKombat ransomware belongs to the Xorist ransomware family.
Threat actors use a multi-stage attack chain that begins with a phishing email with a ZIP attachment containing a BAT loader script.
“Once executed, MortalKombat Ransomware encrypts data and generates files with a specific extension: ..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware
. It also changes the desktop wallpaper to give it a Mortal Kombat theme and generates a ransom note called HOW TO DECRYPT FILES.txt
.” reads the post published by Bitdefender.
MortalKombat first appeared on the threat landscape in January 2023, it targets various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives.
Unlike other ransomware families, MortalKombat did not show any wiper behavior or delete the volume shadow copies on the infected system. It corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window, making the system inoperable.
The ransom note instructs the victim to contact the attacker through the qTOX instant messaging application.
Most of the victims are located in the U.S., but experts observed limited infections in the United Kingdom, Turkey, and the Philippines.
The tool released by Bitdefender works against the current version of MortalKombat, it can be downloaded here.
The company pointed out that the decryptor can also be executed silently via a command line, which can be useful to automate the deployment of the tool inside a large network.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)