Researchers Break MarsJoke Ransomware Encryption

Victims infected with the MarsJoke ransomware can now decrypt their files; researchers cracked the encryption in the CTB-Locker lookalike last week.

Victims infected with the MarsJoke ransomware can decrypt their files after researchers last week cracked the encryption in the CTB-Locker lookalike.

A trio of researchers from Kaspersky Lab’s Anti-Ransom Team–Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn–described Monday how errors in the cryptography, a/k/a Polyglot, used in the ransomware enabled them to break it.

The biggest mistake developers behind the ransomware made was in the way they implemented its pseudo-random number generator. Researchers said a weak random string in the key generator could be broken. That allowed them to search for a set of possible keys produced by the generator in just “a few minutes” on a standard PC.

Researchers said they were able to take advantage of the developers’ mistake, calculate the AES key for an encrypted file, and break Polyglot’s encryption.

The researchers said there was a password-protected archive below an additional layer of symmetric encryption, but that it ultimately wasn’t too difficult to break either. The trio said they could determine the archive key by determining the positions of the four characters in the ZIP archive password to unpack it.

The rest of how Polyglot was set up was “almost flawless,” the researchers say. It utilized an elliptic curve, the Diffie-Hellman protocol, AES-256, and a seemingly legitimate password-protected archive. The botched number generator is where developers went wrong. It gave researchers just enough wiggle room to crack the mechanism.

Late last week, Kaspersky Lab added Polyglot decryption keys to its Rannoh Decryptor, which also decrypts files encrypted by Rannoh, CryptXXX and Fury ransomware, and is available on

The fact that the Polyglot cryptor shares similar features to CTB-Locker prompted the curiosity of the researchers in the first place. The messages Polyglot displays are exactly the same as CTB-Locker; the graphical interface, language switch, payment page, and method for requesting the encryption key all share similarities with the ransomware too.

Researchers note however that while the two strains are similar, it wasn’t until they conducted an in-depth analysis that they were able to determine Polyglot was developed independently from CTB-Locker. Neither cryptor shares the same code, they’re just strikingly similar to each other.

“Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free,” the researchers wrote in a Securelist post Monday.

After being infected, usually by opening a malicious .RAR file sent via spam emails, users’ files are encrypted. While the file names aren’t changed, users can’t open them and they’re greeted with a typical ransom note displayed on their desktop. As a sign of good faith, the victim is offered the chance to decrypt several files for free, after which, they’re told to pay in Bitcoin.

If users don’t pay, a screen pops up telling them it’s no longer possible to decrypt their files and that it will “self delete.”

Researchers with Proofpoint detected a large email campaign, aimed at local government agencies and educational institutions, spreading MarsJoke last week. Researchers at the firm acknowledged that visually the ransomware appeared to mimic CTB-Locker. Researchers with the firm borrowed the nickname from a string of code it saw in the ransomware, “HelloWorldItsJokeFromMars.”

Some might think of CTB-Locker, a/k/a Critroni, as almost vintage ransomware at this point. It was one of the first crypto ransomware strains to really make some noise, more than two years ago. The ransomware began making the rounds in June 2014, circulating via spam messages. The malware was notable at the time for using elliptic curve crypto to encrypt files and using Tor to communicate with its command and control server.

Developers behind the ransomware were able to inject new life into it earlier this year via CTB-Locker for Websites, a strain that targeted websites, encrypted their content and demanded 0.4 Bitcoin for access to a key. For the most part, ransomware variants of late, like Cerber and Locky meanwhile, have embraced an old school method – macros – to infect victims.

Ransomware has been a major hassle for users, especially those in the healthcare industry, as of late, but strides have been made when it comes to combating the threat. The No More Ransom initiative, launched over the summer, has become a one-stop shop for users infected by many strains of ransomware. Decryption keys for variants such as Chimera, Teslacrypt, Shade, and now MarsJoke, have been posted to the site.

It was only a month ago that researchers with Kaspersky Lab, working alongside the Dutch National Police, were able to release keys for another strain of ransomware, Wildfire. Officials were able to take down the command and control server associated with the malware but not before it net attackers roughly $78,700 by targeting users in the Netherlands and Belgium.

Suggested articles