'Merry X-Mas!' Ransomware
Posted: January 3, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 18,835 |
| First Seen: | January 3, 2017 |
|---|---|
| Last Seen: | October 7, 2022 |
| OS(es) Affected: | Windows |
The 'Merry X-Mas!' Ransomware is a Trojan that may encrypt or rename your files while also loading ransom messages for extorting money. Although this Trojan uses an address branded after a known cyber security company, the company has no actual relationship with either this threat or the decryption services it recommends. Use backups when possible to avert data loss, and anti-malware programs to delete the 'Merry X-Mas!' Ransomware and protect your computer with premeditated security solutions.
Trojans Wishing Your Computer the Worst for Christmas
Holidays aren't just a time for families and shopping, but also a time for Trojan authors to ramp up their attacks, in light of the traditional increases in Web traffic. While malware experts have yet to acquire samples of this threat, the 'Merry X-Mas!' Ransomware is one of the newer examples of seasonal, file-encrypting Trojans for the end of 2016. The Trojan includes some indirect ties to previous threat campaigns along with several examples of social engineering at work.
The 'Merry X-Mas!' Ransomware locks files by encrypting them with an algorithm not yet identifiable. Common choices include AES and, to a lesser extent, Blowfish. Many cases of encryption are unbreakable without the key, which most file-encrypting threats protect with another level of encryption. The 'Merry X-Mas!' Ransomware adds a 'name tag' to each blocked file in the form of its appended '.MRCR1' extension, and, then, creates a ransom message.
Malware experts find the 'Merry X-Mas!' Ransomware's messages using the same HTA format popularized by past threats like the Cerber 4.0 Ransomware. Notable elements include:
- The 'Merry X-Mas!' Ransomware's ransom message includes a three-day timer, after the expiration of which, it threatens to delete your files.
- The 'Merry X-Mas!' Ransomware uses telegram and e-mail-based contact points for ransom negotiations to retrieve your encrypted data. The same contact addresses also are points of note in some Globe Ransomware attacks, and misrepresent the threat actor as being an employee of the Comodo cyber security company.
The holiday-customized pop-up graphic is one that malware analysts have yet to see in any other Trojan campaign, and, in particular, bears no resemblance to any messages from the Globe Ransomware family.
Crossing the 'Merry X-Mas!' Ransomware Off of Your Nice List
Until appropriate security companies can analyze samples and determine the chances of free decryption solutions, the 'Merry X-Mas!' Ransomware's attacks may be irreversible, even if you prevent the deletion. Like the Jigsaw Ransomware and other threats that act on time limits, the 'Merry X-Mas!' Ransomware is resolvable regarding damages by keeping extra copies of files backed up to another drive or server. Peripheral devices and password-protected server storage both are solutions malware experts recommend habitually for countering any file-encoding or deleting Trojan.
Circumstantial evidence points to the 'Merry X-Mas!' Ransomware's possibly targeting businesses, NGOs, and other organizations using network servers for storage of potentially valuable files. Malware experts most often find compromises of such systems originating through e-mails, or, secondarily, cracking network passwords through brute-force methods. Analyzing your e-mail attachments with an anti-malware file-scanner may detect and delete the 'Merry X-Mas!' Ransomware, and changing your passwords from easily-cracked, default strings hampers most brute-force techniques.
Perhaps as an important reminder, even during the happiest times of the year, threat authors don't take vacations, nor do they shy away from collecting brand names for facilitating attacks like the 'Merry X-Mas!' Ransomware's extortion.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Users\<username>\AppData\Local\YOUR_FILES_ARE_DEAD.HTA
File name: YOUR_FILES_ARE_DEAD.HTASize: 66.54 KB (66543 bytes)
MD5: d2ae721490c4525e8c371755e7f59eb4
Detection count: 283
Mime Type: unknown/HTA
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: April 15, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: f2520cd0bf34b3b0350e8db21a759c7c
Detection count: 164
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\Application Data\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 0e37416d8fefbfd16cbe1516df794920
Detection count: 129
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: February 3, 2017
%LOCALAPPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 104.65 KB (104651 bytes)
MD5: 3a1b5f64ff33d95d425291599be6b4e0
Detection count: 112
Mime Type: unknown/HTA
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\YOUR_FILES_ARE_DEAD.HTA
File name: YOUR_FILES_ARE_DEAD.HTASize: 66.54 KB (66543 bytes)
MD5: 4d7297e309ee1cdb9793eaffc5c42646
Detection count: 108
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Local\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 713870beb7dc5456756a66d97b01a566
Detection count: 89
Mime Type: unknown/HTA
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: February 3, 2017
%USERPROFILE%\Desktop\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: e7aca562ae026f4727d68f27c87727b2
Detection count: 75
Mime Type: unknown/HTA
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: February 3, 2017
%LOCALAPPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: 948d25c3299f577001768a25b04110fb
Detection count: 73
Mime Type: unknown/HTA
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: April 15, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 5569b7db81d3f7a19eac96326143ea4c
Detection count: 61
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 104.65 KB (104651 bytes)
MD5: f6e9eff2bb4e03cb057a73ff9ab77546
Detection count: 56
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: eb85102d83f7aa16dffa88ba98d9bdfd
Detection count: 47
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 1920ff41610e3415a9f29454af0336a7
Detection count: 40
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 66c157de8d98be180b6dd7b1e7329fa0
Detection count: 40
Mime Type: unknown/HTA
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 3ce28581ec43c41cb5e36e9312ef3299
Detection count: 35
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%USERPROFILE%\Desktop\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: 7e45c5993dcc73ba5270437a9a576ac5
Detection count: 35
Mime Type: unknown/HTA
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 97be4525045485dd6bb6db72fa9708bb
Detection count: 35
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
%LOCALAPPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: 72ed1a179175c03c086c495da4a10406
Detection count: 30
Mime Type: unknown/HTA
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: da5799e65d8f142adebb822b61bde0aa
Detection count: 26
Mime Type: unknown/HTA
Path: %APPDATA%
Group: Malware file
Last Updated: February 3, 2017
%APPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.43 KB (91433 bytes)
MD5: 7b8ff3d7b107b53f8192fd228a8787bf
Detection count: 26
Mime Type: unknown/HTA
Path: %APPDATA%
Group: Malware file
Last Updated: February 3, 2017
%ALLUSERSPROFILE%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 91.84 KB (91845 bytes)
MD5: 4ecc47378f492933b3f31c9b626448dc
Detection count: 21
Mime Type: unknown/HTA
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: February 3, 2017
More files
Registry Modifications
File name without pathMERRY_I_LOVE_YOU_BRUCE.HTAYOUR_FILES_ARE_DEAD.HTA
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.