SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
4 Oct 2016

MarsJoke: the cryptor and the cure

Every day, new versions and variations of ransomware pop up. Malware creators are still sure that ransomware is their ticket to easy street, despite the fact that law enforcement agencies are paying more and more attention to the problem.

In fact, so many different versions are out there, ransomware creators have started to repeat themselves or copy the work of others. For example, the recently discovered Trojan-cryptor Polyglot, aka MarsJoke, is a knockoff of the infamous (and rather nasty) CTB-Locker ransomware.

You can see traces of CTB-Locker all over Polyglot. Its interface is absurdly reminiscent of the older Trojan. It changes victims’ desktop wallpaper the same way and, just like CTB-Locker, it lets victims decrypt five files free as proof that they can be decrypted. Polyglot’s instructions to victims are also identical to those of CTB-Locker — the text looks to have been copied and pasted. Even the “Request failed” window that pops up in case there is no Internet connection looks the same.

The encryption algorithms Polyglot uses are also the same — and they are rather strong.

Polyglot is delivered mostly through spam — the letters contain malicious links allegedly leading to some important documents. Of course, there are no documents — just an archive with a malicious executable file. Once installed, Polyglot connects to its command-and-control sever to send information about the infected PC and handle the ransom. In our case, it demanded 0.7 bitcoins, which is about $320.

Perhaps the only visual discrepancy between CTB-Locker and its new clone is that MarsJoke/Polyglot leaves the encrypted files with their original extensions, whereas CTB-Locker changed the extension — usually to .ctbl or .ctb2. Despite the apparent similarities between Polyglot and CTB-Locker, they are two completely different malware species. They share almost no code. Our experts think that by mimicking CTB-Locker’s looks, Polyglot’s creators were trying to put researchers on the wrong track.

As you may know, there is no known way to decrypt files encrypted by CTB-Locker without paying the ransom. But again, Polyglot and CTB-Locker are not the same under the hood. And fortunately, Polyglot’s creator made a mistake with the key generator, and that made it possible for researchers to come up with a cure — a free utility that can decrypt all of the damaged files. To decrypt the files encrypted by Polyglot/MarsJoke, download and install the free RannohDecryptor utility (version 1.9.3.0 or newer) from noransom.kaspersky.com. It will restore your files.

Truth be told, experts got lucky with Polyglot/MarsJoke. Malware creators are constantly adapting and improving their creations. For example, after experts solved CryptXXX three times, its creator finally tuned the encryption algorithm such that our utilities could not handle it. Maybe Polyglot’s creator will manage the same feat. Bottom line: You can’t rely on a decryption utility being available for any ransomware you might encounter.

The best way to stay safe from ransomware is to catch it before it starts doing anything. And that is what good antivirus solutions do. To be on the safe side, experts also recommend that you back up your data frequently and avoid opening suspicious attachments or clicking on suspicious links.

Tags:
fraud information leaks trojan data protection
Source:
Kaspersky Daily
1873
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015