Angel Aguilar

MRCR/Merry X-Mas Ransomware (.PEGS1, .MRCR1, .RARE1, .MERRY, or .RMCM1; YOUR_FILES_ARE_DEAD.HTA, MERRY_I_LOVE_YOU_BRUCE.HTA)

Recommended Posts

MRCR or Merry X-Mas is a ransomware family that first appeared in December last year. It is written in Delphi and uses a custom encryption algorithm. Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1" as an extension. The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asks victims to contact either "[email protected]" or "comodosecurity" via the secure mobile messenger Telegram.

The decrypter for this ransomware family can be found here:
https://decrypter.emsisoft.com/mrcr

Detailed usage instructions on how to use the decrypter are available here:
https://decrypter.emsisoft.com/howtos/emsisoft_howto_mrcr.pdf

Due to the mathematical properties of the encryption algorithm utilised by the ransomware, each file pair may have multiple encryption keys. The decrypter has, unfortunately, no way of knowing which one is the correct one. All keys will match for the provided file pair. However, only one of those keys will also match all other files. If the decrypter finds multiple keys, you will have to test the keys manually against some of your other files to find the correct one. To do that, simply attempt to decrypt some files, check the result and if the files are not readable, switch to the next key in the options tab and repeat the process.

Share this post


Link to post
Share on other sites

Hello.

Our server It was infected with a Ransomeware called Merry X-mas the monday and it encrypted all files.

The files change the extension to .MERRY, for example compras.xls.MERRY.

And create a HTML Application called: I_LOVE_YOU_MERRY.HTA in each folder.

I tryed with the tool Emsisoft Decrypter for MRCR but doesn't work. The reason can be beacuse the Extension is different.

I contacted they by Telegram @comodosec and the programmer demands 2,000 Dollar of payment for the ransom.

They have the e-mail [email protected]

What can I do?

Thank you very much.

 

Desert.jpg.MERRY

Share this post


Link to post
Share on other sites

I have forwarded that information to our decryption tool developer.  Hopefully, he will have a solution in a day or two.

Share this post


Link to post
Share on other sites

I have another variant: MERRY_I_LOVE_YOU_BRUCE.HTA that won't work with the decrypter. Any hope? What can I provide to help? Thanks.

Share this post


Link to post
Share on other sites
4 hours ago, Pen said:

I have another variant: MERRY_I_LOVE_YOU_BRUCE.HTA that won't work with the decrypter. Any hope? What can I provide to help? Thanks.

I too am dealing with a machine that has the MERRY_I_LOVE_YOU_BRUCE.HTA that doesn't work.  Hoping for a new update with this variant.  Fingers crossed.

Share this post


Link to post
Share on other sites

@Pen @Billy C What would be the most helpful would by a copy of the email attachment, or executable file, that was opened that installed this variant of the Merry X-mas ransomware.

Share this post


Link to post
Share on other sites

An HTA file is an HTML Application that does not require a browser to display HTML pages.  If you know how this got on the system, normally by opening a malicious email attachment, we would need that file.

  • Downvote 1

Share this post


Link to post
Share on other sites

I have not yet found a workstation that has been infected, so haven't found a source email attachment. I suspect a server login via RDP using a vendor account with a weak password..Are there other file types I should look for? Thanks.

Share this post


Link to post
Share on other sites

If it was an RDP attack, then all traces of the attack will have been deleted from the infected system.  Until we are able to get a copy of the actual malware, the encrypted files cannot be decrypted without paying the ransom.

Share this post


Link to post
Share on other sites

We have shut down the machine that was the source of the infection. Will encrypted files on shares still be deleted at the deadline? If so, is there a process to look for.? Thank you.

Share this post


Link to post
Share on other sites
50 minutes ago, Pen said:

We have shut down the machine that was the source of the infection. Will encrypted files on shares still be deleted at the deadline? If so, is there a process to look for.? Thank you.

I've made a copy to external HDD. Files still exist. Even delete date gone

They still wait for $2k ;-)

Share this post


Link to post
Share on other sites

Then this is the newer variant we cannot decrypt.  We would need the malware itself so that our analyst can examine it.

Share this post


Link to post
Share on other sites

@Billy C Thank you for the file.  I will forward it to our analysts.

@Pen Thank you for the file.  I will forward it to our analysts.

On 1/23/2017 at 9:43 PM, Pen said:

We have shut down the machine that was the source of the infection. Will encrypted files on shares still be deleted at the deadline? If so, is there a process to look for.? Thank you.

 

As long as the infected machine has been taken offline, and no other systems are infected, then the files on the shares should be safe.

Share this post


Link to post
Share on other sites
7 hours ago, Kevin Zoll said:

do not piggy another users support topic. Though you appear to have the same problem no 2 machines are alike.  Start your own support topics.

As You wish Kevin but problem is probably the same.

/BR

Share this post


Link to post
Share on other sites

Hello,
I just got infected by the virus MERRY_I_LOVE_YOU_BRUCE.HTA and after using the application https://decrypter.emsisoft.com/download/mrcr I get a warning that it does not work.

I attach two original files and two encrypted ones so that they try to help me as soon as possible or tell me how I can recover the information.

A greeting.
Bruno.

2FILES.zip

Share this post


Link to post
Share on other sites

Hello Krall,

Unfortunately, copies of the original file and its encrypted version can not be used to reverse engineer the encryption.  We will need the malware itself to have any chance of cracking the encryption.

Share this post


Link to post
Share on other sites

Thanks Kevin,

I can find and send other files but i can't localize the source of infection.

I don't know how it happend - that's my friends computer

On this infected PC (with Windows 2012 server) is no mail program and usually nobody work on it - that's jus file and base server.

I may suspect it was infected months ago and now malware activated.

My idea is to format PC to be sure the all malware will be killed. Still wait for Your advice but if no succes i will do this

 

/BR

Share this post


Link to post
Share on other sites

Kris,

Thanks for the files,  I have forwarded the RAR archive to the MRCR decrypter developer.  Hopefully, he will have a solution shortly.

Share this post


Link to post
Share on other sites

Before coming here for help, this AM I renewed Kasperskey Total Security, It removed the exe file "chrome font", but pop-up is still activated after PC restart.

Downloaded the MRCR decoder and attempted to decode. It failed but not sure I am using it correctly.

 

I was able to find the address for the "Chrome font file" in my Chrome download history

Please advice on how to share this information if needed.

 

My hard drive is partitioned, the required files below only ran on my c://

I don't know how to run it on my D:// if it is required.

 

Thank you for any and all help with this issue.

 

 

FRST.txt

Addition.txt

scan_170125-191752.txt

Share this post


Link to post
Share on other sites

Hello Kevin,

I have tried the software that you send me but it does not work I get an error that I already left before with the tool that you have in the main web. I attached 2 original files and 2 encrypted as well as a catch of the error to see if I can solulate it.

The file that infected was called Chrome_Font.exe the same as they were sent in some forum thread. I do not have the file since it was deleted by my antivirus.

Thank you.
Bruno.

 

Files_ERROR.zip

Share this post


Link to post
Share on other sites

Hello,

Currently, our MRCR decryption tool does not handle this variant.  We do have samples of chrome-font.exe that are being analyzed to determine if this variant can be broken.  If so, the MRCR decryption tool will be updated to handle this variant.  I do not have a timeline for any updates.

Share this post


Link to post
Share on other sites

Bruno,

Currently, our MRCR decryption tool does not handle this variant.  We do have samples of chrome-font.exe that are being analyzed to determine if this variant can be broken.  If so, the MRCR decryption tool will be updated to handle this variant.  I do not have a timeline for any updates.

Share this post


Link to post
Share on other sites

Krall,

The server may have been compromised via a successful RDP attack.  Make sure RDP is configure properly, and change all passwords on the server.

Share this post


Link to post
Share on other sites

Hi Kevin,

Thanks for recognize - source of infection.

As I said - to be sure i will format or make fresh windows instalation.

But what about decryption of infected files? Is there any chance to find the solution?

Share this post


Link to post
Share on other sites

Hello,
Like everybody in this time, I also took the ransomeware Merry I Love You Bruce.
I caught this on the site of my supplier,
The characters look bad, chrome asked me to download a font (Chrome_Font.exe) and Bruce arrived.

Sorry for my english, i'm from france, we are only 2 french  to my knowledge to have this ransomeware.

Malekal is already helping me but there they are deadlocked.

Your decrypter is not working for me, do you want other encrypted files and original files ? What extension (pdf, jpg, txt, doc...) ?
I can't download the Emsisoft kit, there is an 404 error. edit: The url is broken to the french rules translation to dl11.emsisoft.com english link is good)


I am really in the shit because I have a company and if I do not recover my files I will to close my company.
In addition I had planned the arrival of a virus, having already taken cryptowall few years ago, I received my hard disc 2 days after this infection.  I am very angry !

I attach the files with FRST. (It's the second pass, the first one did with malekal.)

If you want the first result with FRST, it's here :
http://pjjoint.malekal.com/files.php?id=FRST_20170125_n5s15i13e14j11
http://pjjoint.malekal.com/files.php?id=20170125_b14b5k9d610
http://pjjoint.malekal.com/files.php?id=20170125_p7i9k5j8v11

The fixlist :
 

CreateRestorePoint:
CloseProcesses:
 2017-01-24 23:29 - 2017-01-24 23:29 - 00091845 _____ C:\Users\JESS\Downloads\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:05 - 2017-01-24 23:05 - 00091845 _____ C:\Users\JESS\Documents\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 00091845 _____ C:\Users\JESS\Desktop\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 00091845 _____ C:\Users\JESS\AppData\Roaming\MERRY_I_LOVE_YOU_BRUCE.HTA  
2017-01-24 22:57 - 2017-01-24 22:57 - 05559264 ____N C:\Users\JESS\Downloads\aircrack-ng-1.2-rc2-win.zip 
 2017-01-24 22:51 - 2017-01-24 22:51 - 00091845 _____ C:\Users\JESS\AppData\Local\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2017-01-24 23:04 - 2017-01-24 23:04 - 0091845 _____ () C:\Users\JESS\AppData\Roaming\MERRY_I_LOVE_YOU_BRUCE.HTA  
 2016-05-17 11:01 - 2017-01-24 23:04 - 0000177 _____ () C:\Users\JESS\AppData\Roaming\WB.CFG.MERRY 
 2017-01-24 22:51 - 2017-01-24 22:51 - 0091845 _____ () C:\Users\JESS\AppData\Local\MERRY_I_LOVE_YOU_BRUCE.HTA  
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:

Here I think you have everything

Thanks for you help kevin.

Addition.txt

Fixlog.txt

FRST.txt

mbam.txt

Shortcut.txt

TARIFS TOBOGGAN A4.doc

TARIFS TOBOGGAN A4.doc.MERRY

scan_170127-194458.txt

scan_170127-194607.txt

Share this post


Link to post
Share on other sites

Hi Kevin,

I've been following the other threads regarding MRCR Bruce, as our systems were infected on Monday 23 Jan. Since then I've managed to track down the infected machine, isolate it and run several scans. I've run Emsisoft Anti-Malware and the Farbar Recovery Scan Tool. The results are attached, along with the Chrome_Font.exe in case it's a different version to the others.

I believe the route of infection was a website, http://www.tomchambers.co.uk/. This site did not display correctly on first load and initiated a file download of the notorious Chrome_Font.exe. While the site appears to be okay now, I can't be sure. Perhaps you could check this site for any potential infection.

We really appreciate your help and hope the creation of a decryption tool will be possible.

 

Best regards,

Peter.

peter-morgan--MERRY_I_LOVE_YOU_BRUCE.zip

Share this post


Link to post
Share on other sites

Hi Kevin, Thank you for taking the time to respond.

 

Wondering if you might know whether my currently encrypted files will actually be deleted when the timer is up? (3 days and counting)

Newly saved .docx and .jpeg  files do not seem to get encrypted, and am hoping it indicates that my encrypted files are currently safe from permanent loss.

 

Thank You

 

 

Share this post


Link to post
Share on other sites

I also landed with this delightful virus this morning.  I went on to a suppliers webpage and had to download Chrome_Font.exe as I could not view the site.  The rest is history.  I would like to find out if by some small chance you have a timeline on a decryption tool for the latest strand of .MERRY files?

What anti virus or malware program do you recommend for the removal of the virus?

I have also got the 

MERRY_I_LOVE_YOU_BRUCE.HTA  

file in each of the affected folders.

 

 

Share this post


Link to post
Share on other sites

I got this Merry I Love You Bruce thing on my computer and all my files now have a .merry extension and I can't access them. I tried to download the decrypter but it wouldn't run. My hard drive crashed so it has been replaced and all the recovered files still have this extension. I really need to access them. This is my first experience of this kind of virus and I'm stumped. Please help!!

scan_170127-195237.txt

Addition_27-01-2017 20.04.09.txt

FRST_27-01-2017 20.04.09.txt

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.