In addition to encrypting files, the Merry Christmas ransomware can also drop DiamondFox malware capable of turning infected machines into bots, stealing POS payment data, and more.
In addition to encrypting files, the Merry Christmas ransomware can also drop DiamondFox malware capable of turning infected machines into bots, stealing POS payment data, and more.

The developer behind a newly discovered ransomware named "Merry Christmas” is either slightly behind the times or simply doesn't want the holidays to end. Not only was the malicious file encryptor found operating in the wild a whole nine days after Christmas on Jan. 3, 2017, but researchers later found a new variant on Jan. 8 that drops DiamondFox malware as a secondary infection, BleepingComputer reported on Monday.

DiamondFox is a highly versatile malware program whose individual components can be deployed on a case by case basis, including modules that recruit bots for distributed denial of service attacks, steal credit card data from point-of-sale systems, pilfer browser passwords, open remote desktop connections, and more. MalwareHunterTeam is credited with discovering the link between Merry Christmas and DiamondFox.

The original version of Merry Christmas – reportedly discovered by researchers with the Twitter handles @dvk01uk, @PolarToffee and @Techhelplistcom – features a ransom note with a festive red theme and the warm greeting “MERRY CHRISTMAS.” Regrettably, this introduction is followed by “ALL COMPUTER DATA ENCRYPTED!” and a countdown clock showing how much the time the victim has to pay before all his or her files are permanently deleted. The second version, discovered by Palo Alto Networks Unit 42 threat intelligence analyst Brad Duncan, contains the same message, but with different imagery, including a cartoon bomb and the evil Robot Santa Claus cartoon character from the animated sitcom Futurama.

In both versions, the malware generates its ransom note as a file named “YOUR_FILES_ARE_DEAD.hta” and places it every folder that contains an encrypted document. The note instructs victims to contact the cybercriminal operation, dubbed “ComodoSecurity,” via Telegram or email. It is not known at this time how much the culprit (or culprits) are asking for. In addition to encrypting files, the ransomware also communicates various details about the infected machine to its command-and-control server, including user name, computer name, running processes, installed programs, local time and hardware information.

According to an earlier BleepingComputer report dated Jan. 4, the ransomware is distributed via spam emails containing malicious links that lead to a domain under the control of the malware developer “govapego.com.”

Originally, the spam emails purported to be a notice from the Federal Trade Commission advising businesses that an individual filed a consumer complaint against them, alleging a violation of the Consumer Credit Protection Act. Clicking on the link would supposedly download the complaint document and a plaintiff contact information form. The second version of the malware arrived in spam emails claiming to be a notice to appear in court. The emails encouraged recipients to click a malicious link, purportedly leading to an attached plaint note.

In reality, clicking on these links results in a malicious download that ultimately results in the installation and execution of the Merry Christmas ransomware.

While the Christmas theme would appear to be rather outdated by Jan. 8, Duncan noted in his post on the SANS ISC InfoSec Forums that the version he detected was found just one day after Orthodox Christian communities who follow the Julian Calendar celebrate the holiday – including many observers located in Eastern Europe and former Soviet countries.