MarsJoke ransomware threatens to permanently encrypt files if a ransom is not paid

MarsJoke lockscreen

A new strain of ransomware has been targeting government agencies and educational institutions in the United States, through scam emails that pretend to be something important.

The malware, dubbed as 'MarsJoke' by Proofpoint security researchers, reportedly began a large-scale email campaign which distributed the cryptomalware last week. The developers are sending out emails which seems to be masked as a message from an airline company.

The email uses legitimate-looking images to convince the potential victim

For some reason, it mentions about tracking a parcel, where the user has to click a certain URL to be able to 'track' it. Upon clicking, this, the link then redirects the unsuspecting user to a download of an executable file named "file_6.exe." Upon executing the file, this will activate the MarsJoke ransomware.

Once the encryption is done, it creates a number of files, which consist of '!!! For Decrypt !!!.bat,' '!!! Readme For Decrypt !!!.txt,' and 'ReadMeFilesDecrypt!!!.txt,' which will all be spread throughout several locations on the victim's computer. Encrypted files will get to keep their extension, and files with '.a19' and '.ap19' file extensions will also appear, but will go away once the encryption process is done. It will demand 0.7 Bitcoin, which is equal to $320 at the time of writing.

To make things worse, the victim's desktop background will be modified, stating that their files have been encrypted. It will also display a 96-hour timer, which is the time the victim has left before the files become permanently encrypted.

Like other ransomware, it also scares the user by telling them that any action taken that doesn't involve paying the cybercriminals will result in their files being lost forever. As a way of convincing people that their files can really be decrypted, it also offers to decrypt two files for free. Lastly, the cybercrooks also include an instruction on how to acquire Bitcoins.

The Proofpoint researchers got the name 'MarsJoke' after discovering a string within the malware code, which states, 'HelloWorldItsJokeFromMars.'

Ransomware targeting public institutions and government entities are becoming the new favorite target of malware developers. This is because they usually see that these organizations employ a weak infrastructure to provide strong backups, making them an easy target. With ransomware such as MarsJoke targeting a large audience, we can only expect criminals to up their game even further, to try and drain their victims' money.

Source: Proofpoint via ZDNet | Images via Proofpoint

Report a problem with article
1470985738_windows-10-redstone-2-promo-phone-02
Next Article

Microsoft reveals the Windows 10 Mobile features that are coming in Redstone 2

page-image.1213a92f2f46
Previous Article

Firefox OS well and truly in the community's hands, Mozilla to strip code from Gecko repo

14 Comments - Add comment

Advertisement