Full Report
M3rx is a new ransomware name with a leak site, a Tox contact, and a Windows encryptor that is already doing real work. . It carries an embedded config, writes RECOVERY_NOTES.TXT, renames encrypted files to random 16-character names with the .8hmlsewu extension, empties the Recycle Bin, and deletes itself through PowerShell at the end of execution. The crypto and file format are worth the teardown. M3rx uses per-run X25519 key exchange, AES-CTR for file content, AES-GCM to wrap each per-file AES key, and a fixed 0x400-byte footer. The config is recoverable. The footer is readable. Interrupted files can also expose a different state than completed files.
Analysis Summary
# Tool/Technique: M3rx Ransomware
## Overview
M3rx (also referred to as M3RXDLS) is a newly identified ransomware variant written in Go (Golang) that surfaced in April 2026. It operates on a double-extortion model, utilizing a dedicated Onion leak site, a Tox contact for negotiations, and a Windows-based encryptor. It features a sophisticated cryptographic scheme and automated cleanup procedures.
## Technical Details
- **Type:** Malware family (Ransomware)
- **Platform:** Windows (PE32+ x64)
- **Capabilities:** File encryption, shadow copy deletion, file unlocking (Restart Manager), self-deletion, Recycle Bin purging.
- **First Seen:** April 23, 2026
## MITRE ATT&CK Mapping
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact:** Encrypts files and appends `.8hmlsewu` extension.
- **T1490 - Inhibit System Recovery:** Deletes shadow copies and empties the Recycle Bin.
- **TA0005 - Defense Evasion**
- **T1070.004 - Indicator Removal: File Deletion:** Uses PowerShell loop to delete its own executable.
- **T1027 - Obfuscated Files or Information:** Embeds a Gzip+Gob encoded configuration in `.rdata`.
- **TA0007 - Discovery**
- **T1083 - File and Directory Discovery:** Enumerates Desktop and Documents folders.
## Functionality
### Core Capabilities
- **Sophisticated Encryption:**
- **Key Exchange:** Uses per-run X25519 (Elliptic Curve Diffie-Hellman).
- **Content Encryption:** AES-CTR for file data.
- **Key Wrapping:** AES-GCM is used to wrap each individual per-file AES key.
- **File Structure:** Renames files to random 16-character alphanumeric names with the `.8hmlsewu` extension and appends a fixed `0x400`-byte footer.
- **Data Extortion:** Drops a `RECOVERY_NOTES.TXT` file containing instructions for negotiation via Tox or a Tor-based client area.
- **System Preparation:** Utilizes `rstrtmgr.dll` (Restart Manager) to unlock files held open by other processes to ensure maximum encryption coverage.
### Advanced Features
- **Binary Obfuscation:** The configuration is stored as a Gzip-compressed Go "gob" data structure, requiring a specific header reconstruction (`1f 8b 08 00 00 00 00 00 00 ff`) for extraction.
- **State-Dependent Footers:** Differentiates between "staged" (interrupted) and "finalized" encrypted files using unique magic bytes in the footer (`0x3828ac45` vs `0x741fbe88`).
## Indicators of Compromise
- **File Hashes:**
- **SHA256:** `b09ece33ffe5efb1903526229595a8c74d983c731505bee09c2a005036c834b8`
- **MD5:** `071e2e0087554d96bba6a4ab73d88cd0`
- **File Names:** `RECOVERY_NOTES.TXT`
- **Network Indicators:**
- `4k6plf4h2cm2nco6ae3inrsxnmqgl6lllmwefydhnlcq4tuhwbj4qpad[.]onion` (Leak Site)
- `pippahtohg6qgioqu3ixrsueefuw7thythmmeanyrgwn3eixcuu6jvqd[.]onion` (Chat/Client Area)
- **Behavioral Indicators:**
- Execution of PowerShell self-deletion loops.
- WMI queries: `SELECT * FROM Win32_ShadowCopy`.
- Calling `SHEmptyRecycleBin`.
## Associated Threat Actors
- **M3rx / M3RXDLS:** A relatively new group; specific ties to established APTs or known affiliate programs are currently unconfirmed.
## Detection Methods
- **YARA/Signature:** Hunt for the specific magic bytes in file footers: `88 be 1f 74` (Final) or `45 ac 28 38` (Staging).
- **Behavioral:** Monitor for rapid file renaming/encryption followed by PowerShell-driven self-deletion and the use of Restart Manager strings (`RmShutdown`).
- **Config Extraction:** Analysts can look for the `0x1000` byte blob at the specific offset in `.rdata` to recover operator keys.
## Mitigation Strategies
- **Offline Backups:** Maintain immutable, off-site backups to recover from encryption without paying ransoms.
- **Endpoint Protection:** Deploy EDR solutions to block unauthorized WMI calls (Shadow Copy deletion) and monitor for Go-based obfuscated binaries.
- **Access Control:** Implement the principle of least privilege to limit the ransomware's ability to traverse network shares.
## Related Tools/Techniques
- **Go-based Ransomware:** Shares characteristics with other modern Go encryptors like HelloKitty or BianLian in its use of high-performance concurrency.
- **Double Extortion:** Follows the trend set by LockBit and ALPHV/BlackCat.