Recent variants of the "Merry Christmas" ransomware, also known as Merry X-Mas, are also dropping the DiamondFox malware on infected computers, which is used by the ransomware's operators to collect data from infected hosts, such as passwords, sensitive files, and others.

Multiple security researchers detected the Merry Christmas ransomware in the first week of the year. Bleeping Computer ran an article detailing the modus operandi of the first ransomware variants on January 4.

The initial wave of Merry Christmas infections came from malicious documents spammed via emails posing as FTC consumer complaints.

Waves of Merry Christmas ransomware infections still being detected

Because of the ransomware's Christmas theme, many security experts expected this ransomware to be a one-and-done affair.

To the surprise of many, a few days after the initial wave of Merry Christmas ransomware infections, security researcher Brad Duncan detected a second wave of attacks.

This time around, the ransomware used a different ransom note, and also used different spam lures. For this campaign, crooks distributed Merry Christmas using emails posing as court attendance notices.

Differences in the ransom notes of the first two Merry Christmas ransomware infections
Differences in the ransom notes of the first two Merry Christmas ransomware infections (Source: Brad Duncan)
Merry Christmas ransomware ransom note (version 2)
Merry Christmas ransomware ransom note (version 2) (Source: Karsten Hahn)

Just like the first wave of malspam, these emails included links that downloaded a file from an online server, which contained macro scripts, and which if allowed to execute would download and install the latest version of the Merry Christmas ransomware.

Noted by Duncan, these attacks coincided with the Christmas holiday for Orthodox Christians who are following the Julian Calendar, such as large communities in former Soviet states and some Eastern European countries.

A few hours after Duncan published his findings, security researcher MalwareHunterTeam discovered that recent Merry Christmas ransomware versions would also unpack and drop the DiamondFox malware.

DiamondFox is a modular malware family that's currently sold on various Dark Web malware marketplaces, such as AlphaBay and Hansa.

Ad on the Dark Web for the DiamondFox botnet malware
Ad on the Dark Web for the DiamondFox botnet malware

The malware is an all-around threat and includes modules that crooks can opt to deploy on a per-infection basis.

This malware includes components for transforming infected PCs into DDoS bots, components for stealing credit card data from PoS systems, components for ransacking browser passwords, components for opening RDP (remote desktop) connections, and many other more.

The Merry Christmas family is not the first ransomware threat to add secondary malware payloads to its normal attack routine. In the summer of 2016, security researchers from Kaspersky discovered versions of the Shade (Troldesh) ransomware that downloaded the Teamspy RAT in order to determine and evaluate the type of computer they infected, and decide if to charge a higher sum to unlock files.