M3rx — Technical Analysis

m3rx is a Go-compiled Windows x64 ransomware analyzed in depth: it uses a per-run X25519 ephemeral keypair and an embedded attacker X25519 public key to derive a session KEK, encrypts files with per-file AES-256-CTR keys that are GCM-wrapped with the KEK, appends a distinctive 1,024-byte footer (with magics for partial/complete states), deletes VSS via embedded WMI shellcode, empties the recycle bin, and attempts secure self-deletion; the report supplies robust IOCs (hashes, Tor onion, Tox ID, extension, mutex pattern, footer magic) and recommended detection artefacts.