Introduction
MortalKombat is new variant of the Xorist ransomware family, first observed by threat researchers in December 2022[1]. The name of the ransomware and the wallpaper it drops on victim computer is reference to the Mortal Kombat franchise. On execution MortalKombat ransomware encrypts various files on the victim machine including executable files. This is a point of difference between MortalKombat ransomware and majority other ransomware families that typically avoid encrypting executable files to keep victim machine stable and ensure decryption activities are more consistently effective. The behavior of MortalKombat ransomware matches that of other Xorist variants built with the Xorist ransomware builder.
The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this ransomware and its associated behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by execution of this ransomware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries to created targeted detections.
Figure 1. Attack diagram of MortalKombat Ransomware
The sample analyzed in this article was delivered via a phishing attack that included a double extension zip file (<filename>.pdf.zip) containing a executable file. The file within the zip was also a double extension executable file (<filename>.pdf.exe). By default Windows hides the first file extension of a file when the extension is known which would make the file appear as <filename.pdf> to the victim. This makes the file appear normal and hides the fact the file is an executable, not pdf. This technique is tracked as T1036.007 Masquerading: Double File Extension[2].
Analysis
When the malware exe is executed, it creates a copy of itself in the %TEMP% folder, the path observed in our detonation was C:\Users\<username>\AppData\Local\Temp\E7OKC9s3IlhAd13.exe. We have detonated this sample in multiple virtual machine environments and the file name which it copies itself remains same across all the tested systems. When the malware executable is read prior to execution FortiEDR detects the executable under rule “Malicious File Detected” which is part of “Execution Prevention” security policy. FortiEDR detects the malware as “Xorist.DD8C!tr.ransom”[3]. This event can be observed in the Figure 2 below.
Figure 2. FortiEDR detects the MortalKombat ransomware executable as a malicious Xorist ransomware threat.
When the ransomware creates a copy of itself in the %TEMP% folder of the infected machine, this event is detected by the FortiEDR under “File Creation” type event. The rules triggered for these events are “Malicious File Detected” from the “Exfiltration Prevention” and “Ransomware Prevention” security policies. The ransomware executable is flagged because it’s file-hash matches a known signature in the FortiGuard threat database that is incorporated within FortiEDR. These events can be observed in the Figure 3 below.
Figure 3. FortiEDR detects malware self-copy as file creation event and flags the created copy as a malicious Xorist ransomware executable.
After creating a copy of itself the malware then creates a registry run key entry for persistence (T1547.001). The malware creates a registry value with name “Alcmeter” in the “HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run” registry key with value data of the new executable. In our case this path was “C:\Users\<username>\AppData\Local\Temp\E7OKC9s3IlhAd13.exe”. Creation of this registry entry can be observed in FortiEDR Threat Hunting as shown in Figure 4 below.
Figure 4. FortiEDR Threat Hunting events that identify the registry value being created by the MortalKombat ransomware executable for persistence.
After creating persistence, the ransomware starts to encrypt files on the system. The ransomware overwrites the files with encrypted data then it renames the files. The ransomware renames encrypted files with the “.Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware” file extension. These rename events are captured by FortiEDR as “File Rename Attempt” and it triggers the rule “File Encrypt” from the “Ransomware Prevention” security policy. This can be observed in the Figure 5 below.
Figure 5. FortiEDR captures file rename attempts associated with the encryption process of the MortalKombat ransomware.
Following file encryption process the ransomware executable drops a ransom note with file name “HOW TO DECRYPT FILES.txt” in all the folders it has processes for file encryption. The ransom note does not contain exact ransom amount. The ransom note asks user to install qTOX client (Peer to peer instant messaging protocol with end-to-end encryption) and communicate with the MortalKombat ransomware group. The ransom note also specifies an email address to be used as an alternative contact method. Figure 6 below shows a screenshot of the ransom note contents.
Figure 6. MortalKombat ransomware ransom note.
The MortalKombat ransomware also changes the wallpaper of the infected machine to its custom image which contains some characters from Mortal Kombat movie and contains part of ransom note where communication instructions are given. The changed wallpaper can be seen in the Figure 7 below.
Figure 7. MortalKombat ransomware custom wallpaper with ransom note.
MortalKombat Decryptor
For organizations that do not have FortiEDR and who may be affected by MortalKombat ransomware, BitDefender released a free decryptor[4]. This decryptor is works for current versions of the MortalKombat ransomware and complements the existing Xorist decryptor from Kaspersky[5]. We have tested this decryptor on the same virtual machine where we had detonated the MortalKombat sample and the decryptor has successfully decrypted the files encrypted by the MortalKombat sample in discussion.
Conclusion
As highlighted in this article, FortiEDR effectively detects and mitigates the risk of MortalKombat ransomware execution and subsequent behavior. These protections apply to the wider Xorist ransomware family as well. In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of MortalKombat ransomware execution. Some threat hunting queries are included below to allow organizations to put additional detections in place to identify some behaviors associated with MortalKombat ransomware execution to assist with triaging potential intrusions.
Proactive defenses, like a modern day EDR solution such as FortiEDR, are the best defense against a ransomware threat like MortalKombat or other Xorist families. Where a solution like this cannot be implemented defenders can still leverage decryption tools from the cyber security community like those identified above to minimize the impact of ransomware execution.
Threat Hunting
The following threat hunting query will return File Create events generated when a file with double extension is created matching .pdf.zip. This is the double file extension that is added to the zip file sent as an attachment to the MortalKombat phishing email which may be downloaded by a user prior to execution. This technique is not specific to only MortalKombat ransomware but should be investigated.
Type:"File Create" AND Target.File.Name:"*.pdf.zip"
The following threat hunting query will return File Create events generated when the MortalKombat ransomware executable creates a copy of itself on execution. This filename and path are fixed for this operation, so this is a high confidence indicator.
Type:"File Create" AND Target.File.Name:E7OKC9s3IlhAd13.exe AND Target.File.Path:"*\\AppData\\Local\\Temp"
The following threat hunting query will return registry Value Created events associated with MortalKombat establishing persistence following initial execution. This is a high confidence indicator for the current campaign but the Registry.Data and Registry.Name field values may need to be adjusted to detect future campaigns.
Type: ("Value Created") AND Registry.Path: ("HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run") AND Registry.Data: ("E7OKC9s3IlhAd13.exe") AND Registry.Name: ("Alcmeter")
The following threat hunting query will identify File Create events related the ransomware sample dropping a ransom note in any folders where it has processed for the encryption. These ransom notes have an uncommon name and can be found in using following Threat Hunting query. Note the presence of events matching this query is indicative that encryption by the ransomware was successful so this query should not be used as part of proactive threat hunting and has been included for completeness only and to assist scoping of affected folders as part of an IR response.
Type:"File Create" AND Target.File.Name: ("HOW TO DECRYPT FILES.txt")
MITRE ATT&CK Mapping
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
Malware file is sent as zip file through phishing email |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1547.001 |
Registry Run Keys / Startup Folder |
Creates an entry in the current users run keys for ransomware copy “E7OKC9s3IlhAd13.exe” on initial execution. The file is written to the fixed path C:\Users\<username>\AppData\Local\Temp\ |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1036.007 |
Masquerading: Double File Extension |
Both the zip file attached to the phishing email (pdf.zip) and the main MortalKombat executable within the zip file (pdf.exe) use this technique to make the files appear more legitimate so the victim user will execute them. |
TA0007 - Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1083 |
File and Directory Discovery |
Get list of files and folder for encryption process. This listing is performed directly by the ransomware executable . |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
1) Encrypts user documents and files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
5d4b97bbf2ca874b5924ec489c90a2e109ae2ad6 |
SHA1 Hash |
Installation |
Primary Payload of MortalKombat Ransomware |
2022-12-24 |
|
Malicious zip |
fed0ef1c53333f699f94dffb85c70dae3b51706c |
SHA1 Hash |
Installation |
Execution parent of MortalKombat executable |
2022-12-24 |
|
Malicious zip |
8b131fbe7b84e149b379e634a7fb755262825552 |
SHA1 Hash |
Installation |
Execution parent of MortalKombat executable |
2022-12-24 |
[1] https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
[2] https://attack.mitre.org/techniques/T1036/007/
[3] https://www.fortiguard.com/encyclopedia/virus/7976988
[4] https://www.bitdefender.com/blog/labs/bitdefender-releases-decryptor-for-mortalkombat-ransomware/
