M3rx is a newly observed ransomware strain with a public leak site, a Tox contact, and a Windows Go-based encryptor tied to multiple claimed victims across the US, Canada, Australia, the UK, and Switzerland. The encryptor uses per-run X25519 ECDH with AES-CTR for file content and AES-GCM to wrap per-file keys, appends a 0x400-byte footer, renames files to random 16-character names with the .8hmlsewu extension, and staging footers can enable narrow recovery opportunities. #M3rx #anvilarts
Keypoints
- New ransomware label M3rx (also seen as M3RX/M3RXDLS) has an active leak site and Tox contact footprint.
- The PE32+ x64 Go encryptor drops RECOVERY_NOTES.TXT, clears the Recycle Bin, leverages Restart Manager strings, and can self-delete via PowerShell.
- Encryption uses per-run X25519 ephemeral keys, AES-CTR for file bodies, AES-GCM to wrap per-file AES keys, and a fixed 0x400-byte footer format.
- Encrypted files are renamed to 16-character basenames with the .8hmlsewu extension; an interrupted (staging) footer may contain plaintext per-file AES keys enabling narrow recovery.
- Indicators include the sample SHA256, embedded config SHA256, operator X25519 public key, Tor onion address and Tox ID, plus actor-posted victim claims spanning several countries.
Read More: https://www.derp.ca/research/m3rx-ransomware-go-encryptor/