Victims of MortalKombat ransomware can now decrypt their locked files for free

Cybersecurity firm Bitdefender released a universal decryptor for the MortalKombat ransomware – a strain first observed by threat researchers in January 2023.

The malware has been used on dozens of victims across the U.S., United Kingdom, Turkey and the Philippines, according to a recent report from Cisco.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, would not say how they obtained the decryption keys they used to create the tool and noted that they will only be able to know the full scale of the attack campaign once victims start downloading the decryptor.

“This is an emerging piece of ransomware that is still distributed at the moment of writing. We have seen blocked ransomware on computers located in the U.S. and UK. We believe that the attacker is targeting English-speaking countries at this point,” Botezatu said.

“We believe that the demanded ransom varies from infection to infection based on how important the ransomed data is to the user or to the business.”

Both Bitdefender and Cisco researchers found that similarities in code and more indicate that the ransomware belongs to the Xorist family, which they said has existed in various forms since 2010. 

Cisco said the ease with which the Xorist variants can be customized allows threat actors to build new variants with different names, encryption file extensions, and custom ransom notes.

They found a leaked version of the Xorist builder where the builder interface options closely resembled an actual Xorist ransomware builder interface, as shown in a report by PCrisk. The builder generates a ransomware executable file that the attackers can further customize, they said. 

Bitdefender added that the ransomware comes with a clipboard-monitoring component that specifically targets cryptocurrency users.

The actors behind MortalKombat typically spread the ransomware through phishing emails or target internet-exposed systems. 

When executed, the malware changes the desktop wallpaper to a Mortal Kombat theme and generates a ransom note. 

A Bitdefender spokesperson noted that the company has so far released 32 decryptors, including decryptors for GandCrab, Darkside, and a universal decryptor for REvil.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.