'Merry X-Mas!' Ransomware

'Merry X-Mas!' Ransomware Description

The 'Merry X-Mas!' Ransomware is a Trojan that may encrypt or rename your files while also loading ransom messages for extorting money. Although this Trojan uses an address branded after a known cyber security company, the company has no actual relationship with either this threat or the decryption services it recommends. Use backups when possible to avert data loss, and anti-malware programs to delete the 'Merry X-Mas!' Ransomware and protect your computer with premeditated security solutions.

Trojans Wishing Your Computer the Worst for Christmas

Holidays aren't just a time for families and shopping, but also a time for Trojan authors to ramp up their attacks, in light of the traditional increases in Web traffic. While malware experts have yet to acquire samples of this threat, the 'Merry X-Mas!' Ransomware is one of the newer examples of seasonal, file-encrypting Trojans for the end of 2016. The Trojan includes some indirect ties to previous threat campaigns along with several examples of social engineering at work.

The 'Merry X-Mas!' Ransomware locks files by encrypting them with an algorithm not yet identifiable. Common choices include AES and, to a lesser extent, Blowfish. Many cases of encryption are unbreakable without the key, which most file-encrypting threats protect with another level of encryption. The 'Merry X-Mas!' Ransomware adds a 'name tag' to each blocked file in the form of its appended '.MRCR1' extension, and, then, creates a ransom message.

Malware experts find the 'Merry X-Mas!' Ransomware's messages using the same HTA format popularized by past threats like the Cerber 4.0 Ransomware. Notable elements include:

  • The 'Merry X-Mas!' Ransomware's ransom message includes a three-day timer, after the expiration of which, it threatens to delete your files.
  • The 'Merry X-Mas!' Ransomware uses telegram and e-mail-based contact points for ransom negotiations to retrieve your encrypted data. The same contact addresses also are points of note in some Globe Ransomware attacks, and misrepresent the threat actor as being an employee of the Comodo cyber security company.

The holiday-customized pop-up graphic is one that malware analysts have yet to see in any other Trojan campaign, and, in particular, bears no resemblance to any messages from the Globe Ransomware family.

Crossing the 'Merry X-Mas!' Ransomware Off of Your Nice List

Until appropriate security companies can analyze samples and determine the chances of free decryption solutions, the 'Merry X-Mas!' Ransomware's attacks may be irreversible, even if you prevent the deletion. Like the Jigsaw Ransomware and other threats that act on time limits, the 'Merry X-Mas!' Ransomware is resolvable regarding damages by keeping extra copies of files backed up to another drive or server. Peripheral devices and password-protected server storage both are solutions malware experts recommend habitually for countering any file-encoding or deleting Trojan.

Circumstantial evidence points to the 'Merry X-Mas!' Ransomware's possibly targeting businesses, NGOs, and other organizations using network servers for storage of potentially valuable files. Malware experts most often find compromises of such systems originating through e-mails, or, secondarily, cracking network passwords through brute-force methods. Analyzing your e-mail attachments with an anti-malware file-scanner may detect and delete the 'Merry X-Mas!' Ransomware, and changing your passwords from easily-cracked, default strings hampers most brute-force techniques.

Perhaps as an important reminder, even during the happiest times of the year, threat authors don't take vacations, nor do they shy away from collecting brand names for facilitating attacks like the 'Merry X-Mas!' Ransomware's extortion.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to 'Merry X-Mas!' Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%YOUR_FILES_ARE_DEAD.HTA File name: YOUR_FILES_ARE_DEAD.HTA
Size: 66.54 KB (66543 bytes)
MD5: 51eb6c3594fd2158df29dcddc95b9481
Detection count: 28
Mime Type: unknown/HTA
Path: %APPDATA%
Group: Malware file
Last Updated: January 24, 2017
%LOCALAPPDATA%MERRY_I_LOVE_YOU_BRUCE.HTA File name: MERRY_I_LOVE_YOU_BRUCE.HTA
Size: 65.91 KB (65913 bytes)
MD5: 0fe3cabc45ac36d69a45997844562b5a
Detection count: 7
Mime Type: unknown/HTA
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: January 18, 2017
%USERPROFILE%\Desktop\musica\FlashPlayer.exe File name: FlashPlayer.exe
Size: 1.2 MB (1201256 bytes)
MD5: eab96e317166bcd440c313ff1f87081a
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop\musica\
Group: Malware file
Last Updated: January 18, 2017

More files

Registry Modifications


The following newly produced Registry Values are:

File name without pathMERRY_I_LOVE_YOU_BRUCE.HTAYOUR_FILES_ARE_DEAD.HTA
Posted: January 3, 2017
Threat Metric
Threat Level: 10/10
Infected PCs 18,781
Home Malware Programs Ransomware 'Merry X-Mas!' Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.