The Merry X-Mas Ransomware is here and it’s not bringing you any presents. First discovered by @dvk01uk with the help of @Techhelplistcom, it is being named the Merry Christmas, or Merry X-Mas, Ransomware due to the title of the infection’s ransom note.
Victims who become infected with this ransomware will have their files encrypted and then be shown a ransom note that wishes them a Merry Christmas while demanding they pay a ransom to get their files back.
It is not Santa’s Elves distributing the Merry X-Mas Ransomware
The Merry X-Mas ransomware is currently being distributed through SPAM emails that pretend to be a consumer complaint from the Federal Trade Commission. These emails will state that the recipient’s company is violating the CCPA, or Consumer Credit Protection Act, and contains a link to the supposed document containing the complaint.
If recipients look closely, though, they will see that the email is coming from the domain ftc.gov.uk, which does not exist. The Federal Trade Commission is a USA agency and is not in the United Kingdom.
Though the supposed link to the complaint looks like the legitimate FTC web site, in reality it is a hidden link to a domain under the control of the malware developer called govapego.com.
When a recipient clicks on this link, it will download a zip file containing a file called complaint.pdf.exe. As Windows has extensions disabled by default, many recipients will instead see a document called COMPLAINT.pdf, as shown below, think it’s a legitimate PDF file, and therefore open it. Due to this, as part of our Ransomware Protection Guide, it is strongly suggested that you enable the viewing of Windows extensions.
Once the file is opened, the installer will silently sit in the background for a short period of time and then begin the encryption process.
How the Merry X-Mas Ransomware Encrypts a Computer’s Files
When the ransomware program is first executed, it will run in the background and remain idle for a short period of time. It will then connect to the URL https://onion1.host/cd/copy/gate.php and upload information about the victim’s computer. The information uploaded is the user name, computer name, running processes, installed programs, the local time, and various hardware information about the computer.
It will then scan the local drives on the computer and encrypt files that match certain targeted extensions, which were provided by Fabian Wosar of Emsisoft and listed at the end of this article. When a file is encrypted, the Merry X-Mas ransomware will add either the .PEGS1, .MRCR1, or .RARE1 extensions to the file name depending on the variant that is being installed. For example, for the the variant I tested, when a file named test.jpg is encrypted it would be renamed to test.jpg.RARE1.
In each folder that a file is encrypted, the ransomware will also create a ransom note named YOUR_FILES_ARE_DEAD.hta. This ransom note will be set as an autostart so it is opened every time the victim logs into Windows.
This ransom note contains instructions on how to contact the developer for payment information via email at firstname.lastname@example.org or via Telegram at @comodosecurity. At this time it is unknown how much the developer is demanding as a ransom payment. At this time there is no way to decrypt files for free, but Fabian Wosar, a crypto superhero, is taking a look and hopefully a decryption method can be found.
Learn how to protect yourself from Ransomware
With the proper distribution and strong cryptology, a ransomware developer can generate a lot of revenue in a fairly short amount of time. Therefore, this highly lucrative computer infection is here to stay and people need to learn how to protect themselves.
To help with this, I have put together a Ransomware Protection Guide that provides many tips that a user should follow to protect themselves online.