MortalKombat Ransomware Campaign Targets US Systems
Enterprotect has become aware of a new financially motivated cyberattack that is targeting systems in the United States. Hackers are utilizing a variant of the Xorist commodity ransomware named 'MortalKombat,' together with the Laplas clipper in the attacks. The ransomware is used to extort victims to receive a decryptor, and Laplas is used to steal cryptocurrency by hijacking crypto transactions. MortalKombat is a Xorist ransomware variant first discovered in January 2023, named after the popular fighting video game and featuring a ransom note/wallpaper that includes art from the franchise. This advisory aims to provide an understanding of the threat, its risks, and recommendations for mitigation.
What is the Threat?
The threat is a new financially motivated cyberattack campaign that uses a variant of the Xorist commodity ransomware named 'MortalKombat,' together with the Laplas clipper. Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions. MortalKombat is a Xorist ransomware variant first discovered in January 2023, named after the popular fighting video game and featuring a ransom note/wallpaper that includes art from the franchise.
The attacks observed by the Talos researchers focused mainly on the United States, with some victims also in the UK, Turkey, and the Philippines. The attackers are using phishing emails that contain a malicious ZIP attachment containing a BAT loader script that downloads a second archive from a remote resource. This archive contains one of the two malware payloads.
MortalKombat Victim heatmap (Cisco)
Why is it Noteworthy?
The MortalKombat ransomware campaign is noteworthy because of its financial motivations and the potential risks it poses to organizations. The threat actors behind the campaign are primarily targeting organizations in the United States, with some victims in the UK, Turkey, and the Philippines. They are using a variant of the Xorist commodity ransomware named 'MortalKombat,' together with the Laplas clipper, to conduct financial fraud. Laplas is a cryptocurrency hijacker that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker's control.
What is the Exposure or Risk?
The exposure or risk of the MortalKombat ransomware campaign is significant. The attackers are using a variant of the Xorist commodity ransomware that is not very sophisticated, and it targets system files and applications too, which are commonly avoided to prevent the system from becoming unstable. The ransomware encrypts various files on the victim machine's filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim's machine. It drops the ransom note and changes the victim machine's wallpaper upon the encryption process.
The wallpaper also acts as a ransom note, instructing the victim to use the qTOX Tor-based instant messaging app to negotiate with the cybercriminals who demand payment in Bitcoin. The attacker also provides a ProtonMail email address if the victim has trouble registering a new account on qTOX. Although MortalKombat does not feature wiper functionality, it corrupts system folders like the Recycle Bin so that the victims cannot retrieve files from there, disables the Windows Run command window, and removes all entries from Windows startup.
What are the Recommendations?
Enterprotect recommends the following steps to mitigate the risk of the MortalKombat ransomware campaign:
Train employees on phishing awareness: Employees should be trained to recognize and avoid phishing emails. They should be advised to avoid opening attachments or clicking on links from unknown sources.
Implement multi-factorauthentication (MFA): Organizations should implement MFA to protect against credential stuffing attacks. MFA adds an extra layer of security by requiring users to provide more than one form of identification to access a system.
Regularly backup data: Organizations should regularly backup their critical data to prevent the loss of important information. Backups should be stored in a secure location and tested regularly to ensure that the data can be restored in case of a ransomware attack.
Keep software up to date: Organizations should keep their software up to date, including operating systems, web browsers, and third-party applications. Patches should be applied as soon as they become available to mitigate known vulnerabilities.
Use endpoint protection: Organizations should use endpoint protection solutions to detect and prevent malware infections. Endpoint protection solutions can identify and block malware before it can execute on the system.
Use network segmentation: Organizations should use network segmentation to limit the spread of malware in case of an infection. Segmentation can prevent malware from moving laterally across the network, reducing the impact of an attack.
Have an incident response plan: Organizations should have an incident response plan in place to respond to a ransomware attack. The plan should include procedures for containing the attack, mitigating the damage, and recovering from the attack.
Consider cyber insurance: Organizations should consider cyber insurance to protect against the financial losses associated with a ransomware attack. Cyber insurance policies can cover the cost of ransom payments, data recovery, and business interruption.
Conclusion
The MortalKombat ransomware campaign is a new financially motivated cyberattack that is targeting systems in the United States. The attackers are using a variant of the Xorist commodity ransomware named 'MortalKombat,' together with the Laplas clipper, to conduct financial fraud. Organizations should take steps to mitigate the risk of the MortalKombat ransomware campaign, including training employees on phishing awareness, implementing MFA, regularly backing up data, keeping software up to date, using endpoint protection, using network segmentation, having an incident response plan, and considering cyber insurance. By taking these steps, organizations can reduce the risk of a ransomware attack and mitigate the impact if one occurs.