m3rx

Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.

/*
m3rx ransomware
*/

rule m3rx_Ransomnote
{
    meta:
        author = "ransomware.live"
        family = "ransomware.m3rx"
        description = "Detects m3rx ransomware ransom note or artifact"
        date = "2026-05-04"
        severity = 7
        score = 70

    strings:
        $name1 = "m3rx" ascii nocase
        $name2 = "M3RX" ascii
        $onion  = "m3rx.onion" ascii nocase

    condition:
        any of them
}

Your files have been stolen from your network and encrypted with a military class algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay decrypt fee.
--- Our interaction process:
1. You contact us.
1. We send you a list of files that were stolen.
2. We decrypt 3 files to confirm that our decryptor works.
3. You pay the amount in BTC, that was established in our negotiations.
4. You get decryptor, approve that all data is secure.
5. We wipe out all your data from our database and give you a detailed security breach report with security improve advices.
--- Client area (use this site to contact us):
Link for Tor Browser: [redactado]
>>> to begin the recovery process.
* In order to access the site, you will need Tor Browser,
  you can download it from this link: [redactado]
--- Additional contacts:
Support [redactado] [redactado]
--- Recommendations:
DO NOT RESET OR SHUTDOWN PC's - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
--- Important:
If you refuse to pay or do not get in touch with us, we start publishing your files, as well as share them to your competitors.

• https://www.ransomware.live/group/m3rx