Ransomware

MarsJoke Ransomware Defeated Due to Cryptographic Errors

The MarsJoke ransomware, which attacks small .edu and .gov portals, has reportedly been cracked thanks to weaknesses in its cryptography, allowing victims to unlock previously encrypted files.

Also read: Factom Secures $4.2m Series A Funding Deal with Tim Draper

Research Team Breaks Ransomware’s Encryption

An anti-ransom team at Kaspersky Lab consisting of three researchers — Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn — ultimately did the ransomware in.

According to the team, MarsJoke developers made a mistake that allowed the breakthrough.

Specifically, the mistake lay in the pseudo-random nkasperskyumber generator’s execution, which allowed Kaspersky to break a random string in the key generator. In turn, researchers could then search for a set of possible keys in just “a few minutes” on a standard PC.

Additionally, the researchers said an additional layer of encryption lay on top of a password protected archive. However, the team also broke this extra layer of encryption without much difficulty

The mishandled number generator seems to be the team’s saving grace. Other than that one mistake, they said the ransomware developers set up the rest of the cryptography “almost flawlessly.”

Adding MarsJoke to Growing List of Defeated Ransomware

KeysThus, Kaspersky Lab added the MarsJoke decryption keys to its Rannoh decryptor. This also decrypts files encrypted with Rannoh, CryptXXX, and Fury ransomware. All these are available on NoMoreRansom.org.

This follows a larger effort by global law enforcement and others to combat ransomware. Specifically, Kaspersky’s No More Ransom initiative operates in conjunction with security giants like Intel Security and the Dutch National Police.

The initiative began this summer and has released keys for another strain of ransomware, Wildfire. With the help of Kaspersky and Intel Security, Dutch officials were able to take down the malware’s command and control serve. However, this was after developers already stole $78,000 from victims.

Ransomware Evolves, But Victims Have More Options

NoMoreRansom.org site is now a one-stop shop for users needing decryption keys for a variety of ransomware strains. Keys for variants such as Chimera, Teslacrypt, Shade, and now MarsJoke, are posted on the site.

Furthermore, Kaspersky added the MarsJoke ransomware looked visually similar to an older, more well-known variant called CTB-Locker. This particular ransomware was one of the first crypto strains to really make some noise, more than two years ago

Also, researchers said the ransomware’s method of infection is via spam email, and by users opening a malicious .RAR file. Following this, the user’s files will be encrypted. However as a sign of good faith, the malware offers victims the chance to decrypt several files for free. After this, they must pay in Bitcoin.

What do you think of Kaspersky Lab breaking the MarJoke Ransomware’s encryption? Let us know in the comments below!


Source: Threatpost

Images Courtesy of malwarebytes.com, Kaspersky Lab, mathssandpit.co.uk


Want other people to broadcast your tweets too? Post your tweet on Birds and set the amount you’d like to spend. Birds will hand out your money in set amounts until it’s all spend, and your message has spread far and wide.