Fatality: Since late last year, individuals and businesses have been targeted with a strain of ransomware themed after the Mortal Kombat video game franchise. If you are or know someone who was hit, the security group Bitdefender has a free decryptor that can recover locked files.
Security company Bitdefender released a free decryptor for the Mortal Kombat-themed ransomware this week. Users can deploy the tool silently and automate it.
After downloading the decryptor, use the -help command via the command line to learn how to run the tool silently. The information will go to a log file instead of the console. The "start" command runs the decryptor silently without a GUI.
To define a specific path for the decryptor, use the -scan-path argument. The -full-scan command tells the tool to scan the entire system, ignoring the -scan-path argument. Users can also disable the decryptor's file backup function with the -disable-backup command. Previously encrypted files can be replaced with the -replace-existing command.
More help and examples are in the above link to Bitdefender's website, along with the download for the decryptor.
Researchers at Cisco's Talos cybersecurity team published a report on the ransomware - a variant of the Xorist ransomware which had appeared by 2010 - in mid-February. The attackers tend to deliver it in phishing emails disguised as payments from the CoinPayments crypto trading platform.
The emails mention timed-out cryptocurrency payments and contain attachments resembling CointPayments transaction numbers that hide the malware payload. Once activated, the malware downloads the ransomware, which encrypts all of a PC's files, including those in virtual machines and the recycle bin. It got its name because it replaces the victim's wallpaper with an image from the game Mortal Kombat 11.
After the encryption, the ransomware generates a file with an extension reading "Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware." Victims will then see a ransom note titled "HOW TO DECRYPT FILES.txt."
The ransomware also disables the run command, corrupts Windows Explorer, and deletes contents from the startup menu. The malware downloader is also known to download Laplas Clipper, which replaces crypto wallet addresses in the clipboard with fraudulent imitations that lead to the hacker's wallets. Most targets have been in the United States, but a few were in the UK, the Philippines, and Turkey.
Users should always be careful regarding emails from unknown senders, especially ones carrying attachments or containing links promising payments. Messages asking about account information and other credentials are also suspect.