Fatality!  Ransomware Enters the Mortal Kombat Tournament

[UPDATED 2/16/23 9:48 AM to include IOCs]

A new variant of Xortist named “MortalKombat” in tandem with Laplas clipper has been reported by Cisco Talos. This variant was first discovered in January 2023. Talos has reported that this form of ransomware is not as complicated as other strains as the encryption mechanism does not target specific files, but rather encrypts system, application and user data. Attackers traditionally avoid this method to prevent the system from becoming unstable and losing their foot hold. The reported initial compromise is derived from a phishing campaign that has a malicious compressed file containing a BAT script that calls a secondary payload to download and execute. When executed the script purges these downloaded files to prevent detection.

Once the system starts encrypting, the user’s desktop will be changed to a ransom note that has been adorned with artwork from the popular long running video game Mortal Kombat.

Additionally, the ransomware modifies the registry (a Run key called “Alcmeter”) for persistence. HKEY_CLASSES_ROOT keys are also deleted causing applications to become inoperable.

“MortalKombat did not show any wiper behavior or delete the volume shadow copies on the victim’s machine. Still, it corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s machine, making it inoperable,”-Cisco Talos

Indicators of Compromise that have been identified include the following:

https://www.bleepingcomputer.com/news/security/new-mortalkombat-ransomware-targets-systems-in-the-us/

https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/

https://otx.alienvault.com/pulse/63ebcd7ed463e232591fa655