A brand new ransomware family called MarsJoke ransomware has been targeting the government and the K-12 Educational Sector these days. The infection was found a month ago but it has just come to life via a huge email spam campaign.
It became clear that the cyber criminals who created MarsJoke ransomware are infecting users’ computers by emails disguised as air travel confirmation notifications, which contain a link to a downloadable EXE file.
As soon as the user runs this file, the MarsJoke ransomware gets installed on his/her PC and locks the user’s data with the AES-256 encryption algorithm. After the ransomware locks the files, MarsJoke asks the user to pay 0.7 Bitcoin (around $320) for getting the decryption key.
MarsJoke ransomware was discovered by the Proofpoint researcher Darien Huss. Practically, the ransomware copies the CTB-Locker visual style by replacing the user’s desktop wallpaper and leaving ransom notes in HTML and TXT format in every folder it locks files. Nevertheless, MarsJoke does not claim to be CTB-Locker, unlike other ransomware variants that try to pass as something more dangerous and hard to decrypt.
Currently, no decrypter for MarsJoke ransomware is available. In order to decrypt their files, the victims should install the Tor Browser and access a website hosted on the Tor network.
The security researcher Gary Warners claims that the spam emails distributing MarsJoke ransomware have come from machines part of the Kelihos botnet, a network of infected computers used to send spam or relay malicious proxy traffic.
MarsJoke was first deployed in small tests last month, but the Kelihos botnet tripled in size in only 24 hours, proving that the criminals were ready for massive attacks.
Considering the email addresses targeted via the spam campaign which started on September 22, three verticals have faced the brunt of the attack: state government, local government, and K-12 educational institutions.
The above-mentioned verticals have been targeted via a similar massive spam campaign just days before researchers discovered the MarsJoke ransomware. The CryptFile2 or CryptMix ransomware was also discovered by Proofpoint in the same spam campaign.
Targeting the government institutions, cyber criminals might also infect a target that has failed to implement a proper backup procedure, effectively shutting down its system until a ransom has been paid.