Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.
Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.
Based on Talos’ analysis of similarities in code, class name, and registry key strings, they assess that the MortalKombat ransomware belongs to the Xorist family.
Talos continues to see attack campaigns targeting individuals, small businesses, and large organizations that aim to steal or demand ransom payments in cryptocurrency. Leveraging cryptocurrency offers threat actors attractive benefits such as anonymity, decentralization, and lack of regulation, making it more challenging to track.
Talos recommends that users and organizations be meticulous about the recipient’s wallet address while performing cryptocurrency transactions. Talos encourages updating computers with the latest security updates, implementing robust endpoint protection solutions with behavioral detection capabilities, and maintaining tested, offline backup solutions for endpoints with a reasonable restoration time in the event of a ransomware attack.
A typical infection in this campaign begins with a phishing email and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.