M3rcury Ransomware Leaks on Dark Web Cybercrime Forum

Category Malware Intelligence
Affected Industries Education
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platformXVigildiscovered a post on a TOR-based private cybercrime dark web forum, advertising the source code of an advanced FUD ransomware, dubbed M3rcury.
  • The threat actor has quoted a price of EUR 170/ USD 207 for the source code.
  • The threat actor claims that M3rcury is built entirely from scratch and uses a unique multi-password piecewise encryption mechanism to evade anti-ransomware protection.

Post on the underground forums for the sale of M3rcury Ransomware

Analysis

Features of M3rcury Based on the research and findings conducted by the CloudSEK Threat Intelligence team, the features of this ransomware code include:

  • Removal of backups from the victim’s system
  • Hybrid RSA AES-256 encryption
  • UAC bypass
  • Sandbox detection
  • Evasion of heuristic analysis
  • Heavy obfuscation
  • Scantime, packed and encrypted
  • Encryption mechanism to defeat anti-ransomware detection
  • Working on Windows 7/10

What does the purchase include? According to the seller, the purchase of this malware includes the following:

  • Attacker side decryption source code written in golang.
  • A copy of the main ransomware executable in both 32 and 64 bit.
  • A unique private key for victim decryption.
  • Access to all future updates.

Impact & Mitigation

image