M3rcury Ransomware Leaks on Dark Web Cybercrime Forum
July 22, 2021
•
4
min read
Category
Malware Intelligence
Affected Industries
Education
Affected Region
Global
Executive Summary
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.
Post on the underground forums for the sale of M3rcury Ransomware
Analysis
Features of M3rcury
Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:
Removal of backups from the victim’s system
Hybrid RSA AES-256 encryption
UAC bypass
Sandbox detection
Evasion of heuristic analysis
Heavy obfuscation
Scantime, packed and encrypted
Encryption mechanism to defeat anti-ransomware detection
Working on Windows 7/10
What does the purchase include?
According to the seller, the purchase of this malware includes the following:
Attacker side decryption source code written in golang.
A copy of the main ransomware executable in both 32 and 64 bit.
A unique private key for victim decryption.
Access to all future updates.
Impact & Mitigation
Impact
Mitigation
M3rcury ransomware eventually leads to network compromise as it evades anti-ransomware softwares.
It can be leveraged to extort large volumes of data from its victims.
M3rcury restricts access to user data via encryption/locking.
Train employees to identify phishing attempts, phishing emails that contain weaponized attachments or malicious links.
Employ effective IDPS/ NGFW within the corporate network to prevent ongoing attacks.
Secure RDP/ VPN endpoints to prevent the initial entry into the internal network.
Proper auditing of internal networks, especially on-premise Active Directory.
Restrict user privileges and permissions, unless absolutely necessary.