Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Break Encryption of MarsJoke Ransomware

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

Spotted for the first time in late August, the ransomware family gained attention last week, when the first large-scale spam distribution campaign was spotted. Dubbed MarsJoke, but also referred to as Polyglot, the malware was found to copy the previously established CTB-Locker ransomware and to target mainly government agencies and educational institutions.

MarsJoke/Polyglot is being distributed through spam emails that link to a malicious file, either an executable or a RAR archive (which contains cryptor’s executable code). Immediately after infection, the ransomware appears to be doing nothing, but it actually copies itself to multiple locations, while also writing itself to the autostart folder and to TaskScheduler.

During the encryption process, the malware doesn’t change the name of encrypted files, but makes their content inaccessible to the user. After encrypting victim’s files, the malware changes the desktop wallpaper with an image unique to each victim, and displays a ransom message. It also allows the victim to decrypt several files for free, Kaspersky Lab researchers explain.

Users are told to pay the ransom in Bitcoin and the ransomware contacts the command and control (C&C) server located on the Tor network to retrieve information about the ransom amount and the Bitcoin address the payment should be made to. If the payment isn’t made within a specific time frame, the malware notifies the user that the files can no longer be decrypted.

While analyzing the threat, the security researchers observed that it mimics all of the features CTB-Locker had, including graphical interface window, language switch, encryption algorithms, sequence of actions for requesting the encryption key, payment page, and desktop wallpapers. However, the two don’t share code, as MarsJoke/Polyglot was developed independently from CTB-Locker, Kaspersky Lab researchers say.

Further analysis revealed that the malware performs a three-stage encryption: it places the file in a password-protected ZIP archive named as the original file but having the “a19” extension; encrypts the archive with the AES-256-ECB algorithm and changes the extension to “ap19”; deletes the original file and the a19 archive and changes the “ap19” extension to that of the original file.

The ransomware generates a separate AES key for each file, and each of the generated keys is based on a randomly generated array of characters. Because the strength of the keys is determined by the generator’s strength, weakened implementation of the generator has resulted in easy to find keys.

Advertisement. Scroll to continue reading.

“Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC,” Kaspersky’s researchers explain. “Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.”

Although the resulting file is a password-protected archive, the security researchers discovered that the password protecting it is weak as well. The key is only 4 bytes and those bytes were selected from the string MachineGuid, which is the unique ID that the operating system assigns to the computer. “If we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive,” the researchers reveal.

Decryption capabilities for the MarsJoke/Polyglot ransomware have been already included in Kaspersky Lab’s free utility dubbed RannohDecryptor. Just over a month ago, the security researchers managed to break the encryption of the Wildfire ransomware and made a decryptor available through the No More Ransom Project.

Related: New MarsJoke Ransomware Targets Government Agencies

Related: Encryptor RaaS Shuts Down Without Releasing Master Key

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.