'Merry X-Mas!' Ransomware
Posted: January 3, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 18,835 |
| First Seen: | January 3, 2017 |
|---|---|
| Last Seen: | October 7, 2022 |
| OS(es) Affected: | Windows |
The 'Merry X-Mas!' Ransomware is a Trojan that may encrypt or rename your files while also loading ransom messages for extorting money. Although this Trojan uses an address branded after a known cyber security company, the company has no actual relationship with either this threat or the decryption services it recommends. Use backups when possible to avert data loss, and anti-malware programs to delete the 'Merry X-Mas!' Ransomware and protect your computer with premeditated security solutions.
Trojans Wishing Your Computer the Worst for Christmas
Holidays aren't just a time for families and shopping, but also a time for Trojan authors to ramp up their attacks, in light of the traditional increases in Web traffic. While malware experts have yet to acquire samples of this threat, the 'Merry X-Mas!' Ransomware is one of the newer examples of seasonal, file-encrypting Trojans for the end of 2016. The Trojan includes some indirect ties to previous threat campaigns along with several examples of social engineering at work.
The 'Merry X-Mas!' Ransomware locks files by encrypting them with an algorithm not yet identifiable. Common choices include AES and, to a lesser extent, Blowfish. Many cases of encryption are unbreakable without the key, which most file-encrypting threats protect with another level of encryption. The 'Merry X-Mas!' Ransomware adds a 'name tag' to each blocked file in the form of its appended '.MRCR1' extension, and, then, creates a ransom message.
Malware experts find the 'Merry X-Mas!' Ransomware's messages using the same HTA format popularized by past threats like the Cerber 4.0 Ransomware. Notable elements include:
- The 'Merry X-Mas!' Ransomware's ransom message includes a three-day timer, after the expiration of which, it threatens to delete your files.
- The 'Merry X-Mas!' Ransomware uses telegram and e-mail-based contact points for ransom negotiations to retrieve your encrypted data. The same contact addresses also are points of note in some Globe Ransomware attacks, and misrepresent the threat actor as being an employee of the Comodo cyber security company.
The holiday-customized pop-up graphic is one that malware analysts have yet to see in any other Trojan campaign, and, in particular, bears no resemblance to any messages from the Globe Ransomware family.
Crossing the 'Merry X-Mas!' Ransomware Off of Your Nice List
Until appropriate security companies can analyze samples and determine the chances of free decryption solutions, the 'Merry X-Mas!' Ransomware's attacks may be irreversible, even if you prevent the deletion. Like the Jigsaw Ransomware and other threats that act on time limits, the 'Merry X-Mas!' Ransomware is resolvable regarding damages by keeping extra copies of files backed up to another drive or server. Peripheral devices and password-protected server storage both are solutions malware experts recommend habitually for countering any file-encoding or deleting Trojan.
Circumstantial evidence points to the 'Merry X-Mas!' Ransomware's possibly targeting businesses, NGOs, and other organizations using network servers for storage of potentially valuable files. Malware experts most often find compromises of such systems originating through e-mails, or, secondarily, cracking network passwords through brute-force methods. Analyzing your e-mail attachments with an anti-malware file-scanner may detect and delete the 'Merry X-Mas!' Ransomware, and changing your passwords from easily-cracked, default strings hampers most brute-force techniques.
Perhaps as an important reminder, even during the happiest times of the year, threat authors don't take vacations, nor do they shy away from collecting brand names for facilitating attacks like the 'Merry X-Mas!' Ransomware's extortion.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to 'Merry X-Mas!' Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
* See Free Trial offer below. EULA and Privacy/Cookie Policy.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Users\<username>\Desktop\YOUR_FILES_ARE_DEAD.HTA
File name: YOUR_FILES_ARE_DEAD.HTASize: 66.54 KB (66543 bytes)
MD5: f64970998e5172392d55c54f466ebbd8
Detection count: 560
Mime Type: unknown/HTA
Path: %SystemDrive%\Users\<username>\Desktop
Group: Malware file
Last Updated: April 15, 2017
%LOCALAPPDATA%\MERRY_I_LOVE_YOU_BRUCE.HTA
File name: MERRY_I_LOVE_YOU_BRUCE.HTASize: 104.89 KB (104895 bytes)
MD5: e506722532c71d14768c02ed1e500a0b
Detection count: 56
Mime Type: unknown/HTA
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: April 15, 2017
%USERPROFILE%\Desktop\musica\FlashPlayer.exe
File name: FlashPlayer.exeSize: 1.2 MB (1201256 bytes)
MD5: eab96e317166bcd440c313ff1f87081a
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop\musica
Group: Malware file
Last Updated: January 18, 2017
More files
Registry Modifications
File name without pathMERRY_I_LOVE_YOU_BRUCE.HTAYOUR_FILES_ARE_DEAD.HTA
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.