Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Break Encryption of MarsJoke Ransomware

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.

Spotted for the first time in late August, the ransomware family gained attention last week, when the first large-scale spam distribution campaign was spotted. Dubbed MarsJoke, but also referred to as Polyglot, the malware was found to copy the previously established CTB-Locker ransomware and to target mainly government agencies and educational institutions.

MarsJoke/Polyglot is being distributed through spam emails that link to a malicious file, either an executable or a RAR archive (which contains cryptor’s executable code). Immediately after infection, the ransomware appears to be doing nothing, but it actually copies itself to multiple locations, while also writing itself to the autostart folder and to TaskScheduler.

During the encryption process, the malware doesn’t change the name of encrypted files, but makes their content inaccessible to the user. After encrypting victim’s files, the malware changes the desktop wallpaper with an image unique to each victim, and displays a ransom message. It also allows the victim to decrypt several files for free, Kaspersky Lab researchers explain.

Users are told to pay the ransom in Bitcoin and the ransomware contacts the command and control (C&C) server located on the Tor network to retrieve information about the ransom amount and the Bitcoin address the payment should be made to. If the payment isn’t made within a specific time frame, the malware notifies the user that the files can no longer be decrypted.

While analyzing the threat, the security researchers observed that it mimics all of the features CTB-Locker had, including graphical interface window, language switch, encryption algorithms, sequence of actions for requesting the encryption key, payment page, and desktop wallpapers. However, the two don’t share code, as MarsJoke/Polyglot was developed independently from CTB-Locker, Kaspersky Lab researchers say.

Further analysis revealed that the malware performs a three-stage encryption: it places the file in a password-protected ZIP archive named as the original file but having the “a19” extension; encrypts the archive with the AES-256-ECB algorithm and changes the extension to “ap19”; deletes the original file and the a19 archive and changes the “ap19” extension to that of the original file.

The ransomware generates a separate AES key for each file, and each of the generated keys is based on a randomly generated array of characters. Because the strength of the keys is determined by the generator’s strength, weakened implementation of the generator has resulted in easy to find keys.

Advertisement. Scroll to continue reading.

“Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC,” Kaspersky’s researchers explain. “Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.”

Although the resulting file is a password-protected archive, the security researchers discovered that the password protecting it is weak as well. The key is only 4 bytes and those bytes were selected from the string MachineGuid, which is the unique ID that the operating system assigns to the computer. “If we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive,” the researchers reveal.

Decryption capabilities for the MarsJoke/Polyglot ransomware have been already included in Kaspersky Lab’s free utility dubbed RannohDecryptor. Just over a month ago, the security researchers managed to break the encryption of the Wildfire ransomware and made a decryptor available through the No More Ransom Project.

Related: New MarsJoke Ransomware Targets Government Agencies

Related: Encryptor RaaS Shuts Down Without Releasing Master Key

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.