M3RX
M3rx is a newly observed ransomware and extortion operation active by at least April 2026.
Profile source: Mallory opens in a new tabM3RX
Family profile
M3rx is a newly observed ransomware and extortion operation active by at least April 2026. It is also referenced as M3RX and M3RXDLS, which appear to denote the same activity. Publicly observed behavior indicates a double-extortion model combining file encryption with claims of data theft and leak-site publication pressure. Reported victims span multiple countries, including the United States, Canada, Mexico, the United Kingdom, Ireland, Germany, Norway, South Africa, Taiwan, and Argentina, and include organizations in business services, logistics, hospitality, manufacturing, consulting, legal services, and related sectors, suggesting broad opportunistic targeting rather than a narrowly specialized victim profile.
The operation maintains a leak site and victim negotiation workflow and has been linked to a Windows x64 encryptor written in Go. Observed ransomware behavior includes dropping a ransom note, renaming encrypted files, clearing the Recycle Bin, attempting self-deletion, and using mechanisms associated with unlocking files held open by other processes. Cryptographic analysis indicates use of per-run X25519 key exchange, AES-CTR for file-content encryption, and AES-GCM to protect per-file encryption keys, with metadata appended in a fixed footer structure. Analysis of the encryptor showed that interrupted encryption may leave recoverable key material in an intermediate footer state, whereas fully completed encryption requires access to runtime shared-secret material or operator-controlled private-key material for decryption.
Observed victim postings and incident notices indicate that M3rx publicly claims exfiltration volumes and file counts for some victims, while other listings provide little or no detail on stolen data. The group’s extortion messaging reportedly includes threats to publish stolen information and offers limited proof-of-decryption to pressure victims into negotiation. Despite the emergence of a functioning leak site and active victim listings, there is currently insufficient public evidence to confidently attribute M3rx to a previously known ransomware family, affiliate program, or nation-state sponsor, and no specific initial access pattern or intrusion chain can be stated with high confidence.
Ransomware.live
Operational record
Ransomware.live