Jump to content

MRCR/Merry X-Mas Ransomware (.PEGS1, .MRCR1, .RARE1, .MERRY, or .RMCM1; YOUR_FILES_ARE_DEAD.HTA, MERRY_I_LOVE_YOU_BRUCE.HTA)


Recommended Posts

MRCR or Merry X-Mas is a ransomware family that first appeared in December last year. It is written in Delphi and uses a custom encryption algorithm. Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1" as an extension. The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asks victims to contact either "[email protected]" or "comodosecurity" via the secure mobile messenger Telegram.

The decrypter for this ransomware family can be found here:
https://decrypter.emsisoft.com/mrcr

Detailed usage instructions on how to use the decrypter are available here:
https://decrypter.emsisoft.com/howtos/emsisoft_howto_mrcr.pdf

Due to the mathematical properties of the encryption algorithm utilised by the ransomware, each file pair may have multiple encryption keys. The decrypter has, unfortunately, no way of knowing which one is the correct one. All keys will match for the provided file pair. However, only one of those keys will also match all other files. If the decrypter finds multiple keys, you will have to test the keys manually against some of your other files to find the correct one. To do that, simply attempt to decrypt some files, check the result and if the files are not readable, switch to the next key in the options tab and repeat the process.

Link to post
Share on other sites

Hello.

Our server It was infected with a Ransomeware called Merry X-mas the monday and it encrypted all files.

The files change the extension to .MERRY, for example compras.xls.MERRY.

And create a HTML Application called: I_LOVE_YOU_MERRY.HTA in each folder.

I tryed with the tool Emsisoft Decrypter for MRCR but doesn't work. The reason can be beacuse the Extension is different.

I contacted they by Telegram @comodosec and the programmer demands 2,000 Dollar of payment for the ransom.

They have the e-mail [email protected]

What can I do?

Thank you very much.

 

Desert.jpg.MERRY

Link to post
Share on other sites
4 hours ago, Pen said:

I have another variant: MERRY_I_LOVE_YOU_BRUCE.HTA that won't work with the decrypter. Any hope? What can I provide to help? Thanks.

I too am dealing with a machine that has the MERRY_I_LOVE_YOU_BRUCE.HTA that doesn't work.  Hoping for a new update with this variant.  Fingers crossed.

Link to post
Share on other sites
50 minutes ago, Pen said:

We have shut down the machine that was the source of the infection. Will encrypted files on shares still be deleted at the deadline? If so, is there a process to look for.? Thank you.

I've made a copy to external HDD. Files still exist. Even delete date gone

They still wait for $2k ;-)

Link to post
Share on other sites

@Billy C Thank you for the file.  I will forward it to our analysts.

@Pen Thank you for the file.  I will forward it to our analysts.

On 1/23/2017 at 9:43 PM, Pen said:

We have shut down the machine that was the source of the infection. Will encrypted files on shares still be deleted at the deadline? If so, is there a process to look for.? Thank you.

 

As long as the infected machine has been taken offline, and no other systems are infected, then the files on the shares should be safe.

Link to post
Share on other sites

Hello,
I just got infected by the virus MERRY_I_LOVE_YOU_BRUCE.HTA and after using the application https://decrypter.emsisoft.com/download/mrcr I get a warning that it does not work.

I attach two original files and two encrypted ones so that they try to help me as soon as possible or tell me how I can recover the information.

A greeting.
Bruno.

2FILES.zip

Link to post
Share on other sites

Thanks Kevin,

I can find and send other files but i can't localize the source of infection.

I don't know how it happend - that's my friends computer

On this infected PC (with Windows 2012 server) is no mail program and usually nobody work on it - that's jus file and base server.

I may suspect it was infected months ago and now malware activated.

My idea is to format PC to be sure the all malware will be killed. Still wait for Your advice but if no succes i will do this

 

/BR

Link to post
Share on other sites

Before coming here for help, this AM I renewed Kasperskey Total Security, It removed the exe file "chrome font", but pop-up is still activated after PC restart.

Downloaded the MRCR decoder and attempted to decode. It failed but not sure I am using it correctly.

 

I was able to find the address for the "Chrome font file" in my Chrome download history

Please advice on how to share this information if needed.

 

My hard drive is partitioned, the required files below only ran on my c://

I don't know how to run it on my D:// if it is required.

 

Thank you for any and all help with this issue.

 

 

FRST.txt

Addition.txt

scan_170125-191752.txt

Link to post
Share on other sites

Hello Kevin,

I have tried the software that you send me but it does not work I get an error that I already left before with the tool that you have in the main web. I attached 2 original files and 2 encrypted as well as a catch of the error to see if I can solulate it.

The file that infected was called Chrome_Font.exe the same as they were sent in some forum thread. I do not have the file since it was deleted by my antivirus.

Thank you.
Bruno.

 

Files_ERROR.zip

Link to post
Share on other sites

Hello,

Currently, our MRCR decryption tool does not handle this variant.  We do have samples of chrome-font.exe that are being analyzed to determine if this variant can be broken.  If so, the MRCR decryption tool will be updated to handle this variant.  I do not have a timeline for any updates.

Link to post
Share on other sites

Bruno,

Currently, our MRCR decryption tool does not handle this variant.  We do have samples of chrome-font.exe that are being analyzed to determine if this variant can be broken.  If so, the MRCR decryption tool will be updated to handle this variant.  I do not have a timeline for any updates.

Link to post
Share on other sites

Hello,
Like everybody in this time, I also took the ransomeware Merry I Love You Bruce.
I caught this on the site of my supplier,
The characters look bad, chrome asked me to download a font (Chrome_Font.exe) and Bruce arrived.

Sorry for my english, i'm from france, we are only 2 french  to my knowledge to have this ransomeware.

Malekal is already helping me but there they are deadlocked.

Your decrypter is not working for me, do you want other encrypted files and original files ? What extension (pdf, jpg, txt, doc...) ?
I can't download the Emsisoft kit, there is an 404 error. edit: The url is broken to the french rules translation to dl11.emsisoft.com english link is good)


I am really in the shit because I have a company and if I do not recover my files I will to close my company.
In addition I had planned the arrival of a virus, having already taken cryptowall few years ago, I received my hard disc 2 days after this infection.  I am very angry !

I attach the files with FRST. (It's the second pass, the first one did with malekal.)

If you want the first result with FRST, it's here :
http://pjjoint.malekal.com/files.php?id=FRST_20170125_n5s15i13e14j11
http://pjjoint.malekal.com/files.php?id=20170125_b14b5k9d610
http://pjjoint.malekal.com/files.php?id=20170125_p7i9k5j8v11

The fixlist :
 

CreateRestorePoint:
CloseProcesses:
 2017-01-24 23:29 - 2017-01-24 23:29 - 00091845 _____ C:\Users\JESS\Downloads\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:05 - 2017-01-24 23:05 - 00091845 _____ C:\Users\JESS\Documents\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 00091845 _____ C:\Users\JESS\Desktop\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 00091845 _____ C:\Users\JESS\AppData\Roaming\MERRY_I_LOVE_YOU_BRUCE.HTA  
2017-01-24 22:57 - 2017-01-24 22:57 - 05559264 ____N C:\Users\JESS\Downloads\aircrack-ng-1.2-rc2-win.zip 
 2017-01-24 22:51 - 2017-01-24 22:51 - 00091845 _____ C:\Users\JESS\AppData\Local\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 0091845 _____ () C:\Users\JESS\AppData\Roaming\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2016-05-17 11:01 - 2017-01-24 23:04 - 0000177 _____ () C:\Users\JESS\AppData\Roaming\WB.CFG.MERRY 
 2017-01-24 22:51 - 2017-01-24 22:51 - 0091845 _____ () C:\Users\JESS\AppData\Local\MERRY_I_LOVE_YOU_BRUCE.HTA  
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:

Here I think you have everything

Thanks for you help kevin.

Addition.txt

Fixlog.txt

FRST.txt

mbam.txt

Shortcut.txt

TARIFS TOBOGGAN A4.doc

TARIFS TOBOGGAN A4.doc.MERRY

scan_170127-194458.txt

scan_170127-194607.txt

Link to post
Share on other sites

Hi Kevin,

I've been following the other threads regarding MRCR Bruce, as our systems were infected on Monday 23 Jan. Since then I've managed to track down the infected machine, isolate it and run several scans. I've run Emsisoft Anti-Malware and the Farbar Recovery Scan Tool. The results are attached, along with the Chrome_Font.exe in case it's a different version to the others.

I believe the route of infection was a website, http://www.tomchambers.co.uk/. This site did not display correctly on first load and initiated a file download of the notorious Chrome_Font.exe. While the site appears to be okay now, I can't be sure. Perhaps you could check this site for any potential infection.

We really appreciate your help and hope the creation of a decryption tool will be possible.

 

Best regards,

Peter.

peter-morgan--MERRY_I_LOVE_YOU_BRUCE.zip

Link to post
Share on other sites

Hi Kevin, Thank you for taking the time to respond.

 

Wondering if you might know whether my currently encrypted files will actually be deleted when the timer is up? (3 days and counting)

Newly saved .docx and .jpeg  files do not seem to get encrypted, and am hoping it indicates that my encrypted files are currently safe from permanent loss.

 

Thank You

 

 

Link to post
Share on other sites

I also landed with this delightful virus this morning.  I went on to a suppliers webpage and had to download Chrome_Font.exe as I could not view the site.  The rest is history.  I would like to find out if by some small chance you have a timeline on a decryption tool for the latest strand of .MERRY files?

What anti virus or malware program do you recommend for the removal of the virus?

I have also got the 

MERRY_I_LOVE_YOU_BRUCE.HTA  

file in each of the affected folders.

 

 

Link to post
Share on other sites

I got this Merry I Love You Bruce thing on my computer and all my files now have a .merry extension and I can't access them. I tried to download the decrypter but it wouldn't run. My hard drive crashed so it has been replaced and all the recovered files still have this extension. I really need to access them. This is my first experience of this kind of virus and I'm stumped. Please help!!

scan_170127-195237.txt

Addition_27-01-2017 20.04.09.txt

FRST_27-01-2017 20.04.09.txt

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...