Luckily for all users who have fallen victims to the MarsJoke ransomware, the Kaspersky Lab security team has managed to crack the threat and create a free decryptor.
MarsJoke is a fairly new piece of ransomware, which appeared only two weeks ago. It is also known as JokeFromMars or Polyglot and, delivered via malicious spam messages, was targeting mainly the government and K-12 educational sector.
Even though it appeared so recently, MarsJoke, with its activity, managed to draw the attention of large security companies like Proofpoint and Kaspersky on itself. Several independent security experts have also noticed it.
Today, the Kaspersky Lab announced they had succeeded in finding a weakness in the MarsJoke`s encryption and. Thanks to this flaw, they created a free decryption tool which is available for download from their webpage as the RannohDecryptor tool.
However, the researchers say that this decryptor will only help victims if they are dealing with the ransomware`s current versions. If the MarsJoke authors modify their product and fix the weakness, the tool will probably not work.
A previous case, involving the CryptXXX ransomware, is what Kaspersky is referring to. The team has managed to crack the CryptXXX encryption three times and create three free decryptors but the ransomware`s authors fix it for good in the end.
Experts, who investigated the MarsJoke very carefully, said that the person behind it is no rookie. The creator had done a lot of work to make a visual style which is almost the same the one of the CTB-Locker ransomware, which is still uncrackable even after a couple of years.
“Despite the apparent similarities between Polyglot and CTB-Locker, they are two completely different malware species. They share almost no code.” – Kaspersky explained yesterday – “Our experts think that by mimicking CTB-Locker’s looks, Polyglot’s creators were trying to put researchers on the wrong track.”
Kaspersky explained that the creator of MarsJoke has made a mistake while developing the ransomware`s module that generates the encryption key. Thanks to this mistake, the team managed to create the decryptor.
For now, the MarsJoke victims will be able to recover their files for free, but if the crooks update their threat, the decryptor will probably be not that much of a help.