A new ransomware variant first discovered in January 2023 has been targeting victims mainly in the United States, but also Turkey, the United Kingdom, and the Philippines. The ransomware is based off the Xorist commodity ransomware family, which has been free to decrypt since 2006. The threat actors begin the attack by targeting victims with a phishing email that contains a malicious ZIP file containing a BAT loader script that downloads a second archive from a remote resource. Along with Mortal Kombat ransomware, the threat actors are also using Laplas, a cryptocurrency hijacker that monitors the Windows clipboard for crypto addresses and when found, replaces them with their own address to trick victims into sending money to the threat actors.
This group is clearly financially motivated, using the ransomware as one way to target victims and encrypt files for extortion, in addition to exploiting the chance to steal cryptocurrency. Talos analysts assess that this particular ransomware isn’t very sophisticated as it will target system files and applications too, which are commonly avoided to prevent the system from becoming unstable. A victim will know they are infected because their wallpaper will change to a Mortal Kombat picture which also doubles as the ransom note.