Financial Cybercriminals Deploy Ransomware and Clipper Malware

On February 15, 2023, Cisco Talos released a report detailing a financially motivated cyber attack campaign that began in December 2022. The attack chain begins with a phishing email containing a malicious ZIP file, which is used to deliver either a clipper or ransomware payload. According to the report, the threat actor behind the attack is targeting individuals, small businesses, and large organizations located primarily in the U.S., as well as in the U.K., Turkey, and the Philippines.

The ransomware strain deployed by the attacker has been named MortalKombat, and is capable of encrypting system, application, backup, and virtual machine files. It also corrupts Windows Explorer, disables the Run command window, and removes applications and folders from Windows startup.

In addition to MortalKombat, the attacker is also using a clipper malware known as Laplas. This malware monitors the clipboard for any cryptocurrency wallet address and substitutes it with an actor-controlled wallet address in order to carry out fraudulent transactions.

Cisco Talos researchers have advised organizations to ensure that their systems are up to date with the latest security patches and that anti-malware solutions are enabled. They also urge individuals to be vigilant when opening emails from untrusted sources, and to avoid clicking on links or downloading attachments from these emails.