Researchers at Proofpoint have been extremely vigilant in uncovering new strains of malware lately. The most recent example of this is identifying a new ransomware that targets government and education. Called MarsJoke because of a code string in the malware that says “HelloWorldItsJokeFromMars,” the ransomware first appeared in August and exhibits similarities to CryptFile2, according to a Proofpoint blog post.
The MarsJoke and CryptFile2 ransomware campaigns both attacked government agencies via email campaigns. The email is distributed through a botnet identified by researcher Gary Warner as Kelihos. MarsJoke’s email looks very convincing to the layman, and if the target takes the bait they will open, via a clickable URL, a file called “file_6.exe.” Upon execution, file_6.exe will unleash MarsJokes’s payload that encrypts all files, but does not change their extensions.
Once the encryption is complete, the infected machine will show a message that states “documents, scripts, photos and other important files have been encrypted with strongest encryption algorithm AES-265 and unique key, generated for this computer.” The message, via readme file, then instructs the victim to either pay the ransom at the assigned public gates, or use Tor to access an onion portal and pay that way. There is a 96-hour time limit to pay the ransom, which totals 0.7 bitcoin or $350.
In the conclusion of their report, Proofpoint cautions that MarsJoke may be one of the more dangerous ransomware strains to date. The reason for this is that “the message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims.” With ransomware earning cyber criminals around $1 billion annually, malware is now the chosen method of illegally obtaining cash from victims. MarsJoke is likely the start of a tidal wave in terms of more powerful ransomware.
The InfoSec community, as well as private citizens, should take note and stay vigilant.
Photo credit: Proofpoint, Soban