Not such a Merry Christmas: The ransomware that also steals user data

Fake email notices from prosecutors infect victims with ransomware and personal data-stealing DiamondFox malware.
Written by Danny Palmer, Senior Writer

The Merry Christmas ransom note features Futurama's evil Robot Santa.

Image: SANS Internet Storm Center

Unsuspecting internet users could find themselves on the receiving end of an unwanted belated Christmas present, malware that doesn't only encrypt their Windows PC and hold it to ransom, but also steals personal data and login credentials.

Spotted by cybersecurity researchers in the first week of the year, the Merry Christmas ransomware - also known as Merry X-Mas - might initially appear to be a strange name for a January ransomware campaign. However, Orthodox Christians celebrate Christmas on January 7 - something which might point towards the involvement of Russian or Eastern European actors.

Whoever is behind the Merry Christmas ransomware, they're distributing it via spam email claiming to be from one of two sources.

One of the campaigns claims the sender is from the Federal Trade Commission, telling the recipient that their company is under investigation for violating the Consumer Credit Protection Act, while the other claims to be a notice of court, informing the victim they've used illegal software and must attend trial.

In both cases the intended victim is sent a link, supposedly to the complaint against them, which when clicked will download an executable zip file disguised as PDF document.

When this file is run, it'll initially work in the background, before - if Macros are enabled - executing the ransomware from a Word document within the zip, encrypting the victims' files and displaying a ransom note, the latest version of which features the evil Robot Santa Clause from Futurama. Earlier versions of the ransomware prominently wished the victim a Merry Christmas.

Merry Christmas also threatens victims with permanent deletion of all their files if the ransom isn't paid or if the users attempts to decrypt the files without paying the ransom.

Unlike many other ransomware schemes that demand Bitcoin, the victim is encouraged to email 'Comodo Security' in order to find out the price for regaining their encrypted files.

But if that wasn't bad enough, security researchers at MalwareHunterTeam have discovered that the latest version of Merry Christmas ransomware payload also contains data-stealing DiamondFox botnet malware.

As noted by Bleeping Computer, DiamondFox contains the tools required for stealing login details and passwords, remotely opening desktop connections, stealing credit card data from point of sale systems and transforming infected PCs into DDoS bots.

Merry Christmas isn't the first ransomware infection to also steal data in addition to money from victims. RAA ransomware started infecting victims with the data-stealing Pony Trojan malware in September last year.

Ransomware boomed during 2016, with the cost of ransomware attacks amounting to to amount to more than $1 billion during the year.


Editorial standards