All Threat Intelligence posts

M3rcury Ransomware Leaks on Dark Web Cybercrime Forum

July 22, 2021
4
min read
Category Malware Intelligence
Affected Industries Education
Affected Region Global

 

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
  • The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
  • The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.

Post on the underground forums for the sale of M3rcury Ransomware

 

Analysis


Features of M3rcury

Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:

  • Removal of backups from the victim’s system
  • Hybrid RSA AES-256 encryption
  • UAC bypass
  • Sandbox detection
  • Evasion of heuristic analysis
  • Heavy obfuscation
  • Scantime, packed and encrypted
  • Encryption mechanism to defeat anti-ransomware detection
  • Working on Windows 7/10

 

What does the purchase include?

According to the seller, the purchase of this malware includes the following:

  • Attacker side decryption source code written in golang.
  • A copy of the main ransomware executable in both 32 and 64 bit.
  • A unique private key for victim decryption.
  • Access to all future updates.

 

Impact & Mitigation

Impact
Mitigation
  • M3rcury ransomware eventually leads to network compromise as it evades anti-ransomware softwares.
  • It can be leveraged to extort large volumes of data from its victims.
  • M3rcury restricts access to user data via encryption/locking.
  • Train employees to identify phishing attempts, phishing emails that contain weaponized attachments or malicious links.
  • Employ effective IDPS/ NGFW within the corporate network to prevent ongoing attacks.
  • Secure RDP/ VPN endpoints to prevent the initial entry into the internal network.
  • Proper auditing of internal networks, especially on-premise Active Directory.
  • Restrict user privileges and permissions, unless absolutely necessary.
Tags:
No items found.