Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Break Encryption of MarsJoke Ransomware

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

Spotted for the first time in late August, the ransomware family gained attention last week, when the first large-scale spam distribution campaign was spotted. Dubbed MarsJoke, but also referred to as Polyglot, the malware was found to copy the previously established CTB-Locker ransomware and to target mainly government agencies and educational institutions.

MarsJoke/Polyglot is being distributed through spam emails that link to a malicious file, either an executable or a RAR archive (which contains cryptor’s executable code). Immediately after infection, the ransomware appears to be doing nothing, but it actually copies itself to multiple locations, while also writing itself to the autostart folder and to TaskScheduler.

During the encryption process, the malware doesn’t change the name of encrypted files, but makes their content inaccessible to the user. After encrypting victim’s files, the malware changes the desktop wallpaper with an image unique to each victim, and displays a ransom message. It also allows the victim to decrypt several files for free, Kaspersky Lab researchers explain.

Users are told to pay the ransom in Bitcoin and the ransomware contacts the command and control (C&C) server located on the Tor network to retrieve information about the ransom amount and the Bitcoin address the payment should be made to. If the payment isn’t made within a specific time frame, the malware notifies the user that the files can no longer be decrypted.

While analyzing the threat, the security researchers observed that it mimics all of the features CTB-Locker had, including graphical interface window, language switch, encryption algorithms, sequence of actions for requesting the encryption key, payment page, and desktop wallpapers. However, the two don’t share code, as MarsJoke/Polyglot was developed independently from CTB-Locker, Kaspersky Lab researchers say.

Further analysis revealed that the malware performs a three-stage encryption: it places the file in a password-protected ZIP archive named as the original file but having the “a19” extension; encrypts the archive with the AES-256-ECB algorithm and changes the extension to “ap19”; deletes the original file and the a19 archive and changes the “ap19” extension to that of the original file.

The ransomware generates a separate AES key for each file, and each of the generated keys is based on a randomly generated array of characters. Because the strength of the keys is determined by the generator’s strength, weakened implementation of the generator has resulted in easy to find keys.

“Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC,” Kaspersky’s researchers explain. “Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.”

Although the resulting file is a password-protected archive, the security researchers discovered that the password protecting it is weak as well. The key is only 4 bytes and those bytes were selected from the string MachineGuid, which is the unique ID that the operating system assigns to the computer. “If we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive,” the researchers reveal.

Decryption capabilities for the MarsJoke/Polyglot ransomware have been already included in Kaspersky Lab’s free utility dubbed RannohDecryptor. Just over a month ago, the security researchers managed to break the encryption of the Wildfire ransomware and made a decryptor available through the No More Ransom Project.

Related: New MarsJoke Ransomware Targets Government Agencies

Related: Encryptor RaaS Shuts Down Without Releasing Master Key

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.