Ransomware Research

Mermaid Ransomware

Mermaid is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Deniz Kizi, DenizKizi.

Quick Facts

Ransomware Family
Mermaid
First Seen
December 1, 2019
Known Aliases
Deniz KiziDenizKizi

How Mermaid Ransomware Works

Targeted Files

https://app.any.run/tasks/ddaa638f-c305-471c-abf5-e4074244e388/ https://app.any.run/tasks/6fc45ad8-8993-4fc6-8e60-c437d66593e3/# https://app.any.run/tasks/70e30766-d3f8-434f-af39-97875c2db930/ b2d2abde6d4bd2eb4f0e5bbfc56d94fd8f38bb2a34f61603573097f8af37e836 -> doesn't change filenames

File Encryption Patterns

Mermaid modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..Deniz_Kızı..Deniz_Kizi

Ransom Note and Payment Demands

After encrypting files, Mermaid displays ransom notes demanding payment for file recovery:

filePlease Read Me!!!.hta

Ransom message:

notes/Please Read Me!!!.hta

Note locations:

UserFolders
fileLütfen Beni Oku!!!.log

Ransom message:

notes/Lütfen Beni Oku!!!.log

Note locations:

UserFoldersRootDirectory
filePlease Read ME!!!.log

Ransom message:

notes/Please Read ME!!!.log

Note locations:

UserFolders
fileBeni_Oku!!!.hta

Ransom message:

notes/Beni_Oku!!!.hta

Note locations:

UserFolders

Technical Indicators

Associated Executable Files

The following executable files are associated with Mermaid ransomware:

  • Ztarter.exe
  • Konyalı Zula Hack V4 2019.exe
  • k.exe
  • svchost.exe
  • svchost.exe.zp.bin
  • Starter.exe
  • Starter.bin
  • Deniz_Kızı.exe

Elastio Can Help You

Don't let Mermaid ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Mermaid ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Mermaid.

Last updated: July 30, 2025

Mermaid Ransomware - Detectable by Elastio