MRCR (also known as Merry X-Mas) is a malicious ransomware family that emerged to target Windows users by locking down critical data using a custom encryption algorithm. In response, cybersecurity firm Emsisoft developed a free, specialized MRCR decryption tool to help victims reclaim their data without paying extortion fees. What is MRCR Ransomware?
Origin: Discovered as a threat family spreading malicious attachments and infected files.
Programming Language: Built using the Delphi programming language.
File Extensions: Appends distinct suffixes to compromised files, including .MRCR1, .PEGS1, .RARE1, .MERRY, or .RMCM1.
Ransom Demands: Drops ransom notes titled YOUR_FILES_ARE_DEAD.HTA or MERRY_I_LOVE_YOU_BRUCE.HTA.
Attacker Contact: Instructs victims to message attackers via the Telegram app or through specific Yandex email addresses. The Emsisoft Decryption Tool
Emsisoft’s Free Ransomware Decryption Tools portfolio includes the MRCR decryptor, bypassing the attacker’s paywall by exploiting security flaws found within the malware’s custom encryption routine.
File-Pair Requirements: To deduce the correct decryption key, the tool requires a “file pair”—one encrypted file and its exact, original, unencrypted version.
Size Constraints: The sample files used for the key reconstruction must be between 64 KB and 100 MB in size.
Execution: Victims can drag and drop the file pair directly onto the downloaded decryptor executable to begin scanning. Attacker Backlash (The DDoS Incident)
The release of Emsisoft’s solution triggered aggressive retaliation from the ransomware operators. Immediately following a vital update to the tool, the threat actors launched an 8-hour Distributed Denial of Service (DDoS) attack against Emsisoft’s servers, email infrastructure, and help portals. The malware author even joined public help forums under fake identities to spread misinformation claiming the decryptor would corrupt user devices—a tactic aimed at scaring victims into paying the ransom instead. Best Practices for Recovery
Isolate the System: Immediately disconnect the infected computer from local networks and the internet to stop the infection from spreading.
Purge the Malware: Use an active antivirus tool or the Emsisoft Emergency Kit to quarantine the core ransomware before running decryption.
Backup Locked Files: Always make copies of the encrypted files before using any decryption software, as mathematical variations during recovery can sometimes result in partial file corruption. MRCR decryptor – Emsisoft: Free Ransomware Decryption Tools
Leave a Reply