Merry X-Mas

Merry X-Mas, or MRCR, targets Windows OS and is distributed through spam emails containing a malicious link. The emails masquerade as a consumer complaint from the Federal Trade Commission (FTC) that accuse the recipient of violating the Consumer Credit Protection Act. However, the sender’s email address displays as, which is not a valid domain, and the malicious link resolves to the attacker’s domain at govapego[.]com. The link downloads a ZIP file containing a malicious executable named complaint.pdf.exe disguised as a PDF file. Once executed, Merry X-Mas collects information about the victim’s system such as the user name, running processes, installed software, local time, and hardware information, and sends it to the attacker. It then begins encrypting targeted files and appends .PEGS1, .MCRC1, or RARE1 to the file names. It also drops a ransom note named YOUR_FILES_ARE_DEAD.hta in every folder containing encrypted files. The ransom payment demand for Merry-Xmas is currently unknown.

UPDATE 1/9/2017: A second campaign of Merry X-Mas attacks was spotted by a security researcher who noticed a different ransom note and spam lures than what was used previously. A third campaign was seen delivering DiamondFox malware in addition to the ransomware payload. DiamondFox includes modules that allow attackers to steal sensitive data, open RDP connections, and transform infected systems into DDoS bots.

UPDATE 1/27/2017: A new version appends .MERRY or .RMCM1 to encrypted file names and drops a ransom note named MERRY_I_LOVE_YOU_BRUCE.hta. The free decryption tool has been updated to accommodate this change.

  • Bleeping Computer provides more information about Merry X-Mas here.
  • Emsisoft provides a free decryption tool for Merry X-Mas here.