MortalKombat Ransomware

Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat.

MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey.

Xorist, detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware.

This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files. A decryptor for Xorist was made available by Emsisoft in May 2016.


MortalKombat notably was deployed in recent attacks mounted by an unnamed financially motivated threat actor as a part of a phishing campaign aimed at a wide range of organizations.

"MortalKombat encrypts various files on the victim machine's filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim's machine," Cisco Talos disclosed earlier this month.

MortalKombat Ransomware Strain

Although the ransomware does not exhibit wiper behavior or delete volume shadow copies, it corrupts Windows Explorer, disables the Run command window, and removes all applications and folders from Windows startup.

It's also known to corrupt the deleted files in the Recycle Bin folder and alter the file names and types and make Windows Registry modifications to achieve persistence. The threat actors behind the campaign and their operational model are unknown as yet.


"Based on the Xorist ransomware, MortalKombat spreads through phishing emails and targets exposed RDP instances," Bitdefender said. "The malware gets planted through the BAT Loader that also delivers the Laplas Clipper malware."

MortalKombat is not the only Xorist variant to have emerged in the threat landscape over the past few months. In November 2022, Fortinet FortiGuard Labs revealed another version that leaves a ransom note in Spanish.

The development also comes a little over a month after Avast published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.