M3rcury Ransomware Leaks on Dark Web Cybercrime Forum

A post on a TOR-based private cybercrime dark web forum is advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
Updated on
April 19, 2023
Published on
July 22, 2021
Subscribe to the latest industry news, threats and resources.
Category Malware Intelligence
Affected Industries Education
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
  • The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
  • The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.
[caption id="attachment_17570" align="aligncenter" width="825"] Post on the underground forums for the sale of M3rcury Ransomware[/caption]  


Features of M3rcury Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:
  • Removal of backups from the victim’s system
  • Hybrid RSA AES-256 encryption
  • UAC bypass
  • Sandbox detection
  • Evasion of heuristic analysis
  • Heavy obfuscation
  • Scantime, packed and encrypted
  • Encryption mechanism to defeat anti-ransomware detection
  • Working on Windows 7/10
  What does the purchase include? According to the seller, the purchase of this malware includes the following:
  • Attacker side decryption source code written in golang.
  • A copy of the main ransomware executable in both 32 and 64 bit.
  • A unique private key for victim decryption.
  • Access to all future updates.

Impact & Mitigation

  • M3rcury ransomware eventually leads to network compromise as it evades anti-ransomware softwares.
  • It can be leveraged to extort large volumes of data from its victims.
  • M3rcury restricts access to user data via encryption/locking.
  • Train employees to identify phishing attempts, phishing emails that contain weaponized attachments or malicious links.
  • Employ effective IDPS/ NGFW within the corporate network to prevent ongoing attacks.
  • Secure RDP/ VPN endpoints to prevent the initial entry into the internal network.
  • Proper auditing of internal networks, especially on-premise Active Directory.
  • Restrict user privileges and permissions, unless absolutely necessary.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations