MERIN Ransomware

Posted: October 13, 2020

MERIN Ransomware Description

The MERIN Ransomware is a file-locking Trojan that comes from the NEFILIM Ransomware family. The MERIN Ransomware includes features for blocking files by encrypting them and creating ransom notes, and attackers may install it after hacking targets through software vulnerabilities. As in most cases, backups are the only guarantee for recovery of any data, although dedicated anti-malware services can limit damages by quarantining or removing the MERIN Ransomware.

Ancient Folklore Tears Back into Modern Day with Trojans

One Trojan family with the oddly-chosen theme of Hewbrew's Nephilim, translatable as either 'giants' or 'fallen angels,' is quieter than most of the thriving Ransomware-as-a-Services in 2020. Despite being lower in numbers of campaigns, the NEFILIM Ransomware is no less a challenge for users who don't put any effort into data recovery with well-planned backups. As such, its new variant, the MERIN Ransomware, represents a danger to Windows users both at home and at work.

The MERIN Ransomware's family is much more restrictive in its deployment than a more-typical Ransomware-as-a-Service, as demonstrated by fewer spin-offs, like the OFFWHITE Ransomware, the TRAPGET Ransomware or the TELEGRAM Ransomware. Although malware experts connect this family's attackers to Russia, campaigns can breach national boundaries and, usually, focus on 'easy opportunity' targets, such as businesses with out-of-date server software or weak passwords. The MERIN Ransomware and its relatives are Windows-based, like most file-locker Trojans.

Some signature features from the MERIN Ransomware's familial payload include:

  • Blocking digital media (documents, pictures, and similar files) through secure encryption, stopping them from opening.
  • Creating extensions on every blocked file, with the text changing per campaign (such as 'MERIN,' in this case).
  • Dropping text messages serving as ransom notes. Most NEFILIM Ransomware campaigns use the same note with updates to e-mails, linking to the attacker's TOR website for ransom-processing, and threatening to leak the collected files to the public.

Although malware experts rate it as unlikely that the MERIN Ransomware has significant file-exfiltration or data-collecting features, typical scenarios for infections involve the attackers already having access to the target's server or network. The attackers may leak collected information to a publicly-viewable website genuinely, which is a possible incentive for ransom-paying, even if the victim has a backup for recovery.

Stopping the Latest NEFILIM Ransomware from Taking Your Work Home with It

Because of the particular danger that the MERIN Ransomware represents towards workplaces, malware analysts highlight the preventative steps most applicable to business entities, government networks and similar environments. Administrators always should use strong passwords that threat actors can't brute-force, along with maintaining software updates that close off vulnerabilities like Citrix's CVE-2019-19781. Remote Desktop or RDP features also should be double-checked for their security, as a known infection vector in the NEFILIM Ransomware family.

Data encryption can keep affected files from opening permanently, regardless of their formats or extensions. It usually is not decryptable for free, except where the payload is buggy or unsophisticated. Since encryption attacks endanger home users just as much as businesses, all individuals should have appropriately-stored backups on other devices that Trojans like the MERIN Ransomware can't attack at will.

Malware researchers also confirm that the MERIN Ransomware continues its family's pattern of abusing digital certificates for hiding its identity. Despite the notable obfuscation, trustworthy and updated cyber-security products should remove the MERIN Ransomware as a threat from endangered Windows PCs.

No one should think that the smaller, more-targeted Trojan families are out of the count, even though their business is less flashy than a Ransomware-as-a-Service. The MERIN Ransomware compensates for lacking popularity in the quality of victims, to the detriment of those who experience it firsthand.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to MERIN Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware MERIN Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.