Crytographic Errors Defeat MarsJoke Ransomware
By Christine Kern, contributing writer
Researchers develop a new decryption tool that helps stop the threat of MarsJoke.
Last month, Threatpost.com revealed the MarsJoke strain of ransomware was targeting state and local governments — as well as educational institutions — giving victims a 96 hour timeline in which to pay ransom or risk losing their date forever. The ransomware was first detected in a large-scale email campaign delivered via the Kelihos botnet. Now, researchers have broken the MarsJoke encryption and created a decryption tool to help defeat it.
“Emails contained URLs linking to an executable file named ‘file_6.exe’ hosted on various sites with recently registered domains, apparently for the purpose of supporting this campaign,” Proofpoint wrote in a blog post.
What makes MarsJoke different from more typical variants like Locky is it creates convincing spam emails that hijack the branding of popular air carriers and shipping companies. These emails include typical messages such as, “Make no difficulty to use the tracking number provided in the file below.”
Once downloaded and executed, the file installs the MarsJoke malware that encrypts files without changing original file extensions, though the file name extensions are replaced temporarily with the “.a19” and “.ap19,” according to Proofpoint. Then, infected computers display the ransom message.
“MarsJoke does not appear to be ‘just another ransomware,’ though. The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims,” Proofpoint wrote.
An anti-ransom team at Kaspersky Lab comprised of Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn have managed to crack the MarsJoke encryption, leveraging errors in the encryption system, and have developed a decryption code that will help mitigate the dangers of MarsJoke, according to Bitcoin.com.
The researchers explained the flawed encryption in a blog post, stating, “Files that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor Version 1.9.3.0.”
The cracking of MarsJoke adds one more to the list of defeated ransomware, though ransomware is evolving and becoming more sophisticated. That said potential victims have more options to defend against it. For example, Kaspersky’s NoMoreRansom.org site is now a one-stop shop for users needing decryption keys for a variety of ransomware strains, operating in conjunction with Intel Security and the Dutch National Police. Keys for variants such as Chimera, Teslacrypt, Shade, and now MarsJoke, are posted on the site. And the decryption of MarsJoke also follows a greater effort by global law enforcement and others in the fight against ransomware.