Victims of the MortalKombat ransomware variant have been handed a lifeline, after Bitdefender released a new decryption key on Tuesday.
The security firm said it had been monitoring MortalKombat since its appearance in January this year.
“Based on the Xorist ransomware, MortalKombat spreads through phishing emails and targets exposed RDP instances,” it explained. “The malware gets planted through the BAT Loader that also delivers the Laplas Clipper malware.”
In fact, it is the variant’s underlying Xorist codebase which is likely to have enabled the security researchers to provide a decryption key in record time. Xorist is a commodity ransomware family for which a decryptor has been available for several years.
Victims of MortalKombat had their data encrypted, and files were generated with an unusually long extension: “Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware.”
They also found the desktop wallpaper changed to a Mortal Kombat theme and a ransom note titled: “Hhow to decrypt files.txt.”
Bitdefender said its decryptor could also be executed silently via a command line – particularly handy for organizations wanting to automate its deployment inside a large network.
As reported by Infosecurity, the original MortalKombat threat actor was also observed dropping the Laplas Clipper clipboard stealer malware, to target cryptocurrency users.
“Laplas Clipper targets users by employing regular expressions to monitor the victim machine’s clipboard for their cryptocurrency wallet address,” said Cisco Talos in its original report on the campaign.
“Once the malware finds the victim’s wallet address, it sends it to the attacker-controlled Clipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard. If victims subsequently attempt to use the lookalike wallet address while performing transactions, the result will be a fraudulent cryptocurrency transaction.”
Bitdefender’s latest decryption key announcement comes hot on the heels of a similar tool designed to help victims of the MegaCortex ransomware variant. That key was published in January this year, while a previous one, for the LockerGaga ransomware family, was released in September 2022.
Editorial credit icon image: Ralf Liebhold / Shutterstock.com