Every Year Again: The Merry Christmas Ransomware

The Merry Christmas ransomware has nothing to do with the Christmas spirit. It not only encrypts data but steals it as well. More details in the blog.

Dec 19, 2022 - 4 min.

Cybercriminals have thought up something extra special for the Christmas season. They send their victims Christmas greetings. However, this is the very last gift anyone wants to receive. That’s because the greeting informs the recipient that all their data has been encrypted and can only be released again on payment of a ransom. The cyberattack is based on the Merry Christmas ransomware that has been wreaking havoc since 2017. However, misfortune seldom arrives unaccompanied: more recently, the victims’ PCs are no longer just infected with ransomware but also with another program that the hackers install. This is known as DiamondFox malware and it steals personal data, login details and passwords. Read on to learn how users infect themselves with malware and how you can prevent it. 

A Trojan horse for Christmas

The Merry Christmas ransomware – also known as Merry-X-Mas – infiltrates systems and encrypts all stored files. Depending on which variant of the malware has infected the systems, the relevant file will display different extensions such as ‘.PEGS1’, ‘.MRCR1’, ‘.RARE1’ or even ‘.MERRY’. Once all files have been successfully encrypted, a pop-up window opens that contains a ransom demand. This is accompanied by a countdown showing how long the victim has to pay the ransom – usually in Bitcoin. If the time limit is exceeded, the blackmailers threaten to delete the data permanently. 

This affects not only companies or organizations. Individuals can also fall victim to cybercriminals. In most cases, the malware enters the system as a result of a social engineering attack. This can be a spam email containing a link that downloads the malware if the victim clicks on it. However, PDF files or Word documents are also sent as attachments and will deploy the malicious code if they are opened. The emails often appear to originate from employees of an important official agency or another legitimate organization. Exacerbating this, the subject line repeatedly urges the recipient to take ‘urgent action’, for instance, to avoid the imposition of a penalty or missing out on a prize. 

There are also other ways in which the malware can gain access to systems. In addition to phishing emails and social engineering attacks, security vulnerabilities due to missing updates or patches often present a major security risk for companies. What’s more, poorly configured firewalls are also a hazard. However, the malware can also be imported into the systems via externally connected devices such as USB sticks or hard discs. Malicious websites can also download it. 

Once the malware has been successfully installed on a system, it often cannot be recognised as such right away because the extended file name is frequently hidden. If the user clicks on the file, the malware can work away in the background of the system and encrypt the files. It starts by scanning all drives and other data carriers and then sending the collected information to the hackers’ systems. They can then use file extensions to selectively encrypt systems and files. Once files have been encrypted, they are often difficult to retrieve. For companies, the easiest solution is often to pay off the blackmailers in the hope that they will decrypt the files. However, official authorities and experts strongly advise against paying the ransom. After all, this does not guarantee that companies will have their information returned to them. 

Double extortion 

There are variants of the Merry-Christmas malware in circulation that not only encrypt files but also install another malicious program. The DiamondFox malware is used to collect sensitive information such as login details, passwords and other confidential files. The malware collects the data using methods that include keylogging. This allows cybercriminals to blackmail their victims twice, thus maximising their profit. In many cases, they threaten to release all the data they have collected for sale on the dark web unless victims pay up. However, even if a company pays the extortionists, this does not guarantee that the cybercriminals won’t sell the data anyway or use it for other purposes. 

There is also a danger that the files will be decrypted if a ransom is paid, but the DiamondFox malware will remain undetected on the victim’s server. This means that the first attack can be followed by a second. 

Preparations and measures

As cyberattacks become increasingly successful, and it is usually just a matter of time before a company is affected, good preparations and robust defensive measures are extremely important: 

  • Staff training: training courses are essential for raising awareness of the dangers of cyberattacks in companies. Key aspects include training staff in relation to the GDPR and the upcoming revDSG. This not only ensures that all data is stored in a compliant manner. It also guarantees that IT decision-makers can maintain an overview of their data.
  • Import updates and patches immediately: it is vital that updates are patches be imported without delay in order to close security vulnerabilities in the systems quickly. This should not be put on the long finger. One example that underlines the importance of this is the Hafnium mass hack of the Exchange Server that took place early in 2021. 
  • Implementing the latest security standards: in addition to using passwords correctly, companies should implement additional standards that guarantee enhanced protection for the systems. For instance, the use of multi-factor authentication (MFA) or biometric authentication can ensure better protection for password-based login systems. Accounts that are no longer used should be deleted promptly. 
  • The 3-2-1-1 rule for system-wide backups: the 3-2-1-1 rule means that three copies of the data should be kept on two different media, and one copy should be located off the company site. The last number refers to an additional copy of the data that is stored offline and air-gapped, which means that it is immutable. The immutable backup is guaranteed not to be infected with malware and can easily be imported. 
  • Drawing up a disaster recovery plan: if you are faced with the encryption of files or even a double extortion attack, it helps if rules of conduct have been drawn up beforehand. Furthermore, responsibilities within teams as well as internal and external communications, must be clearly defined. Documentation is also useful for any subsequent analysis and evaluation of the event and the damage caused. This plan should be reviewed and updated on a regular basis. 

Not this year: be prepared for ransomware attacks 

Falling victim to ransomware is a serious matter. The company not only suffers reputational damage but also incurs major financial losses. In many cases, this type of cyberattack can threaten a company’s very existence. Companies are especially at risk of being attacked at Christmas, as the Federal Office for Information Security (BSI) warned last year. 

To avoid these risks, companies must have implemented current security standards. So, with this in mind, we wish you a Happy Christmas, free of ransomware!


Cybercrime: How to Protect Your Business