M3rx is a newly observed ransomware operation active by at least April 2026. Public reporting and victim-posting overlap indicate that the labels M3rx, M3RX, and M3RXDLS refer to the same activity. The group operates a leak site and extortion workflow consistent with double-extortion ransomware, combining file encryption with claims of data theft and threats of public disclosure. Observed victims span multiple countries, including the United States, Canada, Australia, the United Kingdom, Switzerland, and Ireland. Reported targeting has included organizations in hospitality, business services, logistics, and forestry-related services, indicating opportunistic multi-sector victimization rather than a narrowly specialized vertical focus. M3rx uses a Windows x64 ransomware encryptor written in Go. Reported behaviors include dropping a ransom note, renaming encrypted files with randomized names and a dedicated extension, clearing the Recycle Bin, attempting self-deletion, and using mechanisms associated with unlocking files held open by other processes. The malware stores an embedded operator configuration and employs modern cryptography: per-run X25519 key exchange, AES-CTR for file-content encryption, and AES-GCM to protect per-file encryption keys, with encrypted files receiving a fixed-size footer. Analysis has shown that interrupted encryption may leave recoverable key material in partially processed files, whereas fully encrypted files require access to runtime secret material or operator-controlled private keying material for decryption. The operation’s extortion messaging reportedly offers limited proof-of-decryption and threatens publication of stolen data if payment is not made. As of current public evidence, there is not enough corroborated information to attribute M3rx to a previously known ransomware family, affiliate program, or specific nation-state sponsor, nor to confidently associate it with a distinct initial access pattern or intrusion set.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack and associated data theft against FORECON Inc., with the breach report claiming 860 GB and 437,048 files stolen.
Conducting a ransomware attack and associated data theft against eclective.ie, with the breach report claiming 857 GB and 1,683,762 files stolen.
Named as the ransomware group responsible for the attack and data breach against wrtworld.com, with stolen data reported at 377 GB and 267,891 files.
A newly observed ransomware/extortion operation using a Windows x64 Go encryptor, leak site, Tor client area, and Tox contact. The group is conducting double-extortion style attacks, encrypting files, dropping ransom notes, and publicly listing victims on its leak site.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.