- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
- The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
- The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.
[caption id="attachment_17570" align="aligncenter" width="825"]
Post on the underground forums for the sale of M3rcury Ransomware[/caption]
Features of M3rcury
Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:
What does the purchase include?
According to the seller, the purchase of this malware includes the following:
- Removal of backups from the victim’s system
- Hybrid RSA AES-256 encryption
- UAC bypass
- Sandbox detection
- Evasion of heuristic analysis
- Heavy obfuscation
- Scantime, packed and encrypted
- Encryption mechanism to defeat anti-ransomware detection
- Working on Windows 7/10
- Attacker side decryption source code written in golang.
- A copy of the main ransomware executable in both 32 and 64 bit.
- A unique private key for victim decryption.
- Access to all future updates.
Impact & Mitigation
- M3rcury ransomware eventually leads to network compromise as it evades anti-ransomware softwares.
- It can be leveraged to extort large volumes of data from its victims.
- M3rcury restricts access to user data via encryption/locking.
- Train employees to identify phishing attempts, phishing emails that contain weaponized attachments or malicious links.
- Employ effective IDPS/ NGFW within the corporate network to prevent ongoing attacks.
- Secure RDP/ VPN endpoints to prevent the initial entry into the internal network.
- Proper auditing of internal networks, especially on-premise Active Directory.
- Restrict user privileges and permissions, unless absolutely necessary.