MortalKombat Ransomware Infects Computer, Steals Crypto From Users

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Feb 15, 2023 06:31 am PST

Organizations in the Philippines, Turkey, the Philippines, and the United Kingdom have recently been affected by MortalKombat, a new ransomware that cybersecurity experts are pointing out. Using MortalKombat and a brand-new piece of malware called Laplas Clipper, researchers from Cisco’s Talos security team claim to have tracked a ransomware organization that has been stealing cryptocurrency from victims while simultaneously using MortalKombat.

The majority of the victims have been in the United States, while a lesser number are from the other nations mentioned. Threat researchers discovered MortalKombat in January 2023, but little is known about its creators or operating system, according to Cisco Talos. The Mortal Kombat media franchise, which includes a number of well-liked video games and movies, is probably certainly referenced in the ransomware’s name and the wallpaper that it installs on the victim’s PC.

Ransom note on wallpaper (Cisco)

The ransomware “encrypts multiple files on the victim machine’s filesystem, including as system, application, database, backup, and virtual machine files,” according to the researchers, in addition to files on remote destinations that are mapped as logical drives in the victim’s workstation.

Additionally, according to their investigation, the ransomware group has been seen searching the internet for businesses that have left their remote desktop protocols (RDP) open to the public. The hackers were able to target people, small businesses, and huge organizations thanks to the scanning.

Phishing emails with an attached ZIP file are the starting point of other attacks in the campaign. To hide its trails and complicate research, the Laplas Clipper malware or MortalKombat ransomware deploys after being opened before destroying itself.

New Variations Of Xorist Malware By Changing The Names

One email Cisco Talos received purported to be from CoinPayments, an established international bitcoin payment gateway. In order to trick victims into opening the ZIP file, it claimed to contain information about a specific transaction.

The malware deletes several applications, corrupts Windows Explorer, and modifies the victim’s computer’s wallpaper. Attackers frequently contact victims through the instant messaging program qTOX and via email at “hack3dlikeapro[at]proton[.]me.”

The researchers claimed that similarities in the ransomware’s code and other factors suggest that it is a member of the Xorist family, which they claimed has been around since 2010.

According to the researchers, threat actors can easily create new variations of the Xorist malware by changing the names, encryption file extensions, and ransom notes.

According to research by PCrisk, “Talos discovered Xorist builder choices in a leaked version closely resembled those in the real Xorist ransomware development interface. The ransomware constructor creates an executable file that the attackers can further alter.

The Laplas Clipper virus, which the researchers earlier found in an assault in November 2022, was also seen by the researchers along with MortalKombat.

According to Cisco, the malware keeps an eye on a user’s device for any changes made to their cryptocurrency wallet address. Once it does, it “sends the address to the attacker-controlled Clipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard.”

The cost of the malware to purchase online is $839 per year or $49 per week. Both of their creators said on Telegram that they are creating new Laplas Clipper iterations and will be releasing updates soon. Two URLs were linked to the effort by Cisco researchers, one connecting to a Poland server.


The Laplas clipper and the malware known as “MortalKombat” are being used in cyberattacks by hackers engaged in a new financially driven campaign. Both malware infections are used to commit financial fraud. Laplas is used to steal cryptocurrencies by intercepting cryptocurrency transactions, and ransomware is used to coerce victims into receiving a decryptor. Laplas is a last-year-released cryptocurrency hijacker that searches the Windows clipboard for cryptocurrency addresses and replaces them with addresses under the attacker’s control when it finds any. According to Cisco Talos, MortalKombat is built on the Xorist family of commodity ransomware, which employs a constructor that enables threat actors to modify the malware. Since 2016, Xorist can be decrypted without charge.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x