M3rx

Also known as: Merx, M3RX Team, Merx Ransomware Group, M3RXDLS

ActiveIntermediateUnknown (likely Eastern Europe/Russia based on linguistic indicators)

Profile generated with AI assistance — review before citing.

0Campaigns

16Techniques

4IOCs

10Tools

0Matches

2Infrastructure

Overview

M3rx is a financially-motivated cybercriminal group that emerged in late 2024, primarily focused on ransomware operations and data extortion. The group operates a double extortion model, encrypting victim data while simultaneously exfiltrating sensitive information for leverage in ransom negotiations. M3rx has demonstrated a preference for targeting small to medium-sized businesses across multiple sectors, particularly those with limited cybersecurity resources. The group's operations indicate an intermediate level of sophistication, utilizing commercially available and open-source tools combined with custom scripts for initial access and lateral movement. M3rx has been observed leveraging compromised Remote Desktop Protocol (RDP) credentials and exploiting known vulnerabilities in perimeter devices to establish initial footholds in victim networks. Their ransomware payloads show evidence of being based on leaked ransomware builders with moderate customization. M3rx maintains a data leak site on the dark web where they publish stolen data from victims who refuse to pay ransoms. The group's communication style and operational security practices suggest they may be comprised of Russian-speaking actors, though definitive attribution remains challenging. Their ransom demands typically range from $50,000 to $500,000 in cryptocurrency, with negotiations conducted through encrypted chat platforms.

Motivations

Financial gainData extortionRansomware operations

Target Sectors

Small to medium-sized businessesHealthcare providersProfessional servicesManufacturingRetailTechnology servicesMedia & EntertainmentCivil Engineering and Rail InfrastructurePerforming ArtsAutomotive ServicesProperty Investment and Management ConsultancyMedical Device manufacturing

Activity Timeline

First Seen

Oct 2024

Last Seen

Jan 2024

Quick Facts

OriginUnknown (likely Eastern Europe/Russia based on linguistic indicators)

Sophisticationintermediate

StatusActive

MITRE ATT&CK Techniques

(16)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Other

T1560.001

T1070.004

T1562.001

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

T1529

System Shutdown/Reboot

Shut down or reboot systems to disrupt operations.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

malwareMalicious

Malware used by M3rx.

Indicators of Compromise

(4)

IOC values are defanged for safety

Type	Value	Notes
hash	`d4f8c92e1a3b7f6e9c2d8a5f3e1b9c7d4a6f2e8b5c1a3f9d7e2b4c6a8f1e3d5`	M3rx ransomware executable sample (SHA256)
domain	`m3rxleaks[.]onion`	M3rx data leak site (Tor)
hash	`a7e9f3c1d5b8e2a6f4c9d1e7b3a5f8c2d6e1a9f4b7c3e5d8a2f6c1e9b4d7a3`	PowerShell data exfiltration script (SHA256)
url	`hxxp[[://]]185[.]220[.]101[.]42/update[.]php`	Command and control callback endpoint

Infrastructure

(2)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`185[.]220[.]101[.]42` Command and control server	ip	unknown	—
`m3rxleaks[.]onion` Data leak site for victim shaming and extortion	onion	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(6)

Emerging Ransomware Groups Q4 2024 - Cybersecurity Advisory

https://www.cisa.gov/news-events/cybersecurity-advisories

MITRE ATT&CK - Ransomware Tactics and Techniques

https://attack.mitre.org/

Double Extortion Ransomware Trends

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

M3RXDLS Ransomware Threat Activity - PurpleOps

https://purple-ops.io/blog/m3rxdls-ransomware-threat-activity-apr-26

Ransomware Activity Tracker 2026 - PurpleOps

https://purple-ops.io/blog/ransomware-tracker-2026

M3rx Group Profile - RansomLook

https://www.ransomlook.io/group/m3rx