An open-source universal decryptor for the newly discovered MortalKombat malware, which encrypts files, has been made available by the Romanian cybersecurity firm Bitdefender. The virus has been employed on dozens of victims in the United States, United Kingdom, Turkey, and the Philippines, as per a recent Cisco analysis.
Emails with malware ZIP attachments containing BAT loader scripts are sent to random users by MortalKombat distributors. When the script is run, it will download and run the Laplas Clipper and ransomware binaries on the computer.
Although it has been identified since 2010, Xorist is disseminated as a ransomware constructor, enabling online threat actors to design and alter their own variant of the malware. The MortalKombat decryptor is a standalone executable that doesn't require installation on affected devices. The user may optionally choose a specific place holding backed-up encrypted data. It offers to scan the entire filesystem to find files infected by MortalKombat.
In addition, Bitdefender said that the malware has a clipboard-monitoring feature that targets users of cryptocurrencies particularly. The emails include references to expired cryptocurrency payments and attachments that resemble CointPayments transaction numbers but conceal the malware payload. The ransomware, which encrypts all of a PC's data, including those in virtual machines and the recycle bin, is downloaded by the software after its launch. It takes the victim's background and replaces it with a Mortal Kombat 11 image, hence the name.
In a study by PCrisk, Cisco discovered a leaked version of the Xorist builder, where the builder interface options closely mirrored an actual Xorist ransomware building interface. The creator creates an executable ransomware file that the attackers can further modify. Notably, MortalKombat was used in recent attacks by an unidentified financially motivated malicious attacker as a part of a phishing operation targeted at multiple companies.