Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain

Feb 28, 2023Ravie LakshmananRansomware / Malware

Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat.

MortalKombat is a new ransomware strain that emerged in January 2023. It’s based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey.

Xorist, detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware.

This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files. A decryptor for Xorist was made available by Emsisoft in May 2016.

MortalKombat notably was deployed in recent attacks mounted by an unnamed financially motivated threat actor as a part of a phishing campaign aimed at a wide range of organizations.

“MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine,” Cisco Talos disclosed earlier this month.

Although the ransomware does not exhibit wiper behavior or delete volume shadow copies, it corrupts Windows Explorer, disables the Run command window, and removes all applications and folders from Windows startup.

It’s also known to corrupt the deleted files in the Recycle Bin folder and alter the file names and types and make Windows Registry modifications to achieve persistence. The threat actors behind the campaign and their operational model are unknown as yet.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!


“Based on the Xorist ransomware, MortalKombat spreads through phishing emails and targets exposed RDP instances,” Bitdefender said. “The malware gets planted through the BAT Loader that also delivers the Laplas Clipper malware.”

MortalKombat is not the only Xorist variant to have emerged in the threat landscape over the past few months. In November 2022, Fortinet FortiGuard Labs revealed another version that leaves a ransom note in Spanish.

The development also comes a little over a month after Avast published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…