Women are from Venus and malware is from…Mars? Maybe: A new type of ransomware has appeared in orbit, dubbed MarsJoke.
Its name is based on a string contained within the code: “HelloWorldItsJokeFromMars.” Presumably of Earth origin, it’s also no joke. MarsJoke is mounting a large-scale email campaign to target primarily state and local government agencies and educational institutions in the United States. Once infected, victims have 96 hours to submit the ransom of 0.7 BTC (currently around $320) before files are deleted.
“Ransomware has become a billion dollar a year industry for cyber-criminals,” Proofpoint researchers said, in a blog. “In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.”
Proofpoint researchers said that this is very similar to CryptFile2 campaigns, while visually, it mimics the style of CTB-Locker. The similarities point to the conclusion that a well-known botnet, Kelihos, is responsible for distributing the spam.
On September 22, Proofpoint detected the email campaign, which is using a variety of subject lines referencing a major national air carrier and package-tracking (adding an air of legitimacy to the lures with stolen branding). The emails contained URLs linking to an executable file named "file_6.exe" hosted on various sites with recently registered domains.
“This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware,” the researchers said.
While the campaign is primarily aimed at state and local government agencies, followed by K-12 educational institutions, messages also came through in smaller numbers for healthcare, telecommunications, insurance and several other verticals.
“The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims,” the researchers concluded.
Photo © Rashevska Natalia