Researchers have cracked the MarsJoke crypto-ransomware, defanging it and giving victims a way to decrypt their files.
Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn of Kaspersky Lab’s Anti-Ransom Team explained that the Trojan, which is also known as Polyglot, looks like a knockoff of the classic CTB-Locker ransomware, down to the way it changes victims’ desktop wallpaper, the fact that it lets victims decrypt five files free, and in its identical instructions to victims.
However, the two share almost no code, and are in fact completely different malwares. The researchers suspect that the mimicry was done to throw researchers off and dissuade them from looking under the hood.
“Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free,” the researchers said in a blog.
The problem is, what’s under the hood is deeply flawed. The main issue is that the creator made a mistake with the key generator.
All of the created keys are based on a randomly generated array of characters. Therefore, the strength of the keys is determined by the generator’s strength. The generator is weak in this case: an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC.
“Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file,” the researchers explained.
Kaspersky has made a free decryptor available—but warned that the MarsJoke authors could tweak the malware at any time to strengthen it.
On September 22, Proofpoint detected an email campaign spreading MarsJoke, which uses a variety of subject lines referencing a major national air carrier and package-tracking (adding an air of legitimacy to the lures with stolen branding). The emails contained URLs linking to an executable file named "file_6.exe" hosted on various sites with recently registered domains. Overall, it’s a departure from the much more frequent attached document campaigns.
Photo © DD images