View All R&D Articles

Merry X-Mas Ransomware Infection And Decryption Services

February 3, 2017

encrypted data keyMerry X-Mas ransomware started infecting computers worldwide in early January, 2017. The fact that Russia celebrates Christmas on January 7 has led to speculation that the malware originated there. Regardless of its point of origin, the ransomware continues infecting computers and the developers continue to improve its capabilities.

If Merry X-Mas ransomware has infected your computer, turn it off, disconnect all media from it, and call at 1-800-237-4200. Our security specialists can evaluate your situation and start planning to restore your files.

What is Merry X-Mas Ransomware (And How Does It Work)?

Merry X-Mas is a type of crypto-ransomware. When this malware infects a victim’s computer, it encrypts the vast majority of files. Encryption is a powerful tool that makes files unreadable to anyone without the key. While encryption has legitimate uses, ransomware attackers use it to prevent the rightful owners of files from accessing them.

The attackers often make threats (some of which may be bluffs) in order to scare victims into paying the ransom before fully exploring their recovery options. The perpetrators of the Merry X-Mas attacks certainly use high-pressure tactics to frighten victims.

Notable Features of Merry X-Mas Ransomware Include:

  • The original ransom note declared, “Merry X-Mas,” at the top, giving the malware its name.
  • A new variant forgoes the greeting but includes a picture of Robot Santa from the TV series Futurama.
  • Victims are pressured into downloading a document from the Federal Trade Commission.
  • The document is an .exe, but if extensions are disabled (which is the default setting for Windows), the document will appear as COMPLAINT.pdf
  • If a victim opens this file, the malware installer will begin encrypting files.
  • The ransom note includes a timer that counts down from a number of days, threatening to delete all files after the deadline.
  • The ransom amount is not given in the note, but rather communicated after contact is made with the attackers.

Merry X-Mas targets and encrypts hundreds of file types, which leaves infected computers virtually useless and their data inaccessible.

How Does Merry X-Mas Ransomware Infect My System?

The original Merry X-Mas spam email claims to be from the Federal Trade Commission. It states that there has been a consumer complaint against the recipient’s business. The email urges the recipient to read a bold section in the complaint document.

This complaint document does not exist and is actually an executable file. Because Windows disables extensions by default, the file COMPLAINT.pdf.exe appears as simply COMPLAINT.pdf on most computers. This vulnerability is a great reason to enable viewing extensions on your computer.

If the supposed PDF is downloaded, the infection process begins after a brief period of inactivity. Then the ransomware begins encrypting an extensive array of file types.

A later variant of Merry X-Mas replaced the consumer complaint email with a notice of court attendance. Attackers seem to be experimenting with a variety of social engineering methods to maximize infections.

This later variant also installs malicious software called DiamondFox, which can steal various credentials and use victim’s computers for DDOS attacks. For this reason, victims should take steps to ensure that the ransomware and this extra malware are removed from their computers.

Can I Disable or Remove Merry X-Mas Ransomware Encryption?

There is no known decryption key for any variants of Merry X-Mas. As always, preventing the installation of ransomware in the first place is the best defense against this scourge. Avoiding suspicious links and attachments, updating software, and backing up all data regularly are good defenses against malware attacks.

If Merry X-Mas has already infected your computer, the security experts at will explore every possible option for rebuilding, recovering, or otherwise restoring your encrypted files. As a last resort, they can facilitate a ransom payment in a safe and secure way.

Call 1-800-237-4200 to start the process of restoring your unreadable files. Our security specialists will analyze your situation and begin the process of recovering your information. As with all ransomware attacks, time is of the essence. Call now to begin.