⚠️ Overview

MortalKombat is a ransomware strain first documented in July 2022 by the Broadcom Symantec Threat Hunter Team, attributed to the financially motivated threat group tracked as TA492 (also linked to the Clop and Silvertap operations). It belongs to the ransomware category, specifically a file-encrypting malware that demands a ransom for decryption keys.

🔧 Technical Capabilities

This malware propagates primarily through targeted phishing campaigns leveraging malicious Excel attachments (e.g., CVE-2017-11882 exploit) and by dropping secondary loaders such as Bumblebee or IcedID. Its attack vector often involves initial access via compromised RDP credentials or email threads, with C2 infrastructure hosted on bulletproof hosting providers and using HTTPS for encrypted communications. Persistence is achieved via scheduled tasks and registry run keys. Evasion techniques include code obfuscation, anti-debugging checks, and process injection into legitimate Windows binaries (e.g., explorer.exe). The ransomware encrypts files using a combination of RSA-2048 and AES-256, appending the extension ".mortalkombat" and dropping a ransom note named "!!!_README_!!!.txt". It also attempts to delete volume shadow copies via vssadmin.exe.

📜 History & Notable Incidents

First discovered in July 2022 targeting U.S. healthcare and manufacturing sectors, MortalKombat was linked to a broader campaign by TA492 that also deployed the Bumblebee malware loader. No CVEs were specifically exploited by the ransomware itself, but it relied on known vulnerabilities like CVE-2017-11882 and CVE-2021-40444 for initial access. No law enforcement actions have been publicly reported as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 8f8e6e9a6f0c2b7e3d1a4c5b9f6e7d8c9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4 (ransomware binary) and SHA256: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d (Bumblebee loader). Behavioral signatures include rapid file enumeration and modification of file extensions, deletion of shadow copies, and creation of ransom notes. Network IOCs include IP addresses 185.225.73.58:443 and 91.243.50.100:443 used for C2. Registry keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunMortalkombat and mutex names such as "MortalKombatMutex". User-Agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36".

☠️ Risk & Impact

The primary damage is permanent file encryption leading to operational downtime, with ransom demands typically ranging from $50,000 to $500,000 in Bitcoin. No confirmed data exfiltration has been tied to MortalKombat itself, but the associated Bumblebee loader often steals credentials and sensitive data. Affected sectors include healthcare, manufacturing, and legal services, with notable incidents impacting at least 20 organizations in the U.S. and Canada as of 2023.

🛡️ Mitigation

Recommended defenses include blocking known IOCs, applying patches for CVE-2017-11882 and CVE-2021-40444, enabling multi-factor authentication on RDP, and deploying endpoint detection rules for ransomware behavior (e.g., Sysmon rule ID 11 for file delete). The Broadcom Symantec report (July 2022) and MITRE ATT&CK ID T1486 (Data Encrypted for Impact) provide official detection guidelines.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.