- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
- The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
- The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.
AnalysisFeatures of M3rcury Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:
- Removal of backups from the victim’s system
- Hybrid RSA AES-256 encryption
- UAC bypass
- Sandbox detection
- Evasion of heuristic analysis
- Heavy obfuscation
- Scantime, packed and encrypted
- Encryption mechanism to defeat anti-ransomware detection
- Working on Windows 7/10
- Attacker side decryption source code written in golang.
- A copy of the main ransomware executable in both 32 and 64 bit.
- A unique private key for victim decryption.
- Access to all future updates.
Impact & Mitigation