The Primary target of MarsJoke Ransomware is .EDU and .GOV Entities.
Ransomware has become a multi-billion dollar industry and every week we come face-to-face with one type of ransomware scam or another. MarsJoke is the latest campaign to hit the governmental agencies and educational institutions and it is something that you need to know about.
There is a string identified in the coding of this new ransomware, which reads “HelloWorldItsJokeFromMars.” This is what inspired the name of the new ransomware creating havoc on the internet nowadays. MarsJoke represents a large-scale email phish campaign the key targets of which are local and federal government agencies and academic institutions within the United States.
[q]Hello World Its Joke From Mars[/q]
According to Proofpoint researchers, “K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.”
The infected user needs to pay a ransom of 0.7BTC, which is an equivalent of $320, within 96hours. If the said time expires, the files will be deleted. According to Proofpoint researchers, “K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.”
A screenshot shared by Proofpoint shows the readme file that comes with the ransomware:
In a blog post, Proofpoint researchers explained that this new ransomware is quite similar to the CryptFile2 campaigns but from the way it operates, it is similar to CTB-Locker. This means the botnet Kelihos is playing a part in distributing the spam.
This particular campaign was discovered by ProofPoint on September 22, and it was learned that this email campaign utilizes a range of subject lines referencing a high profile national air carrier and package tracking. These steps make the campaign look legit. There are URLs contained in the emails that have links to an executable file named as file_6.exe. However, experts believe that apart from attacking government and K-12 educational institutions, some healthcare, insurance, and telecommunication companies have also been targeted by MarsJoke. Mostly, it has been observed, that the ransomware targets companies and agencies that cannot ignore threats like these.
As per the observation of ProofPoint, the computers affected by MarsJoke turn their Windows desktop background to black screen and the ransom message gets displayed in a dialogue box along with the message that “documents, scripts, photos and other important files have been encrypted with strongest encryption algorithm AES-265 and unique key, generated by this computer.”
This shows, the ransom message appears in English language but ProofPoint researchers have also noted Russian, Spanish, Ukrainian and Italian messages.
[src src=”Source” url=”https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker”]ProofPoint[/src]
[src src=”Image Source” url=”https://www.nasa.gov/sites/default/files/thumbnails/image/df-20457_rv2.jpg”]NASA[/src]