That's not funny: MarsJoke ransomware threatens to wipe data if a ransom is not paid within 96 hours

A new ransomware family is taking aim at government targets.
Written by Danny Palmer, Senior Writer

MarsJoke ransomware: you'll turn red with anger if you're infected.

Image: iStock

A new form of ransomware is targeting government agencies and educational institutions in the US, using emails claiming to be from airlines.

The MarsJoke ransomware was unearthed by Proofpoint security researchers, who said that a large-scale email campaign distributing the machine-locking malware began on 22 September, with the main targets being state and local government agencies.

MarsJoke is just the latest in a string of new ransomware attacks, set to cost organisations a total of $1bn during 2016 alone.

Those behind MarsJoke are sending out malicious emails designed to look like they're from airlines: the method is similar to that used by a recent CryptFile 2 ransomware campaign, which attempted to lure government targets with offers of cheap flights.


A fake airline email used to trick victims into installing MarsJoke.

Image: Proofpoint

The recipient will receive an email with a subject line that mentions tracking a parcel and, when opened, is a message claiming to be from a carrier and inviting them to click on a link to track their delivery.

If the target's suspicions aren't raised by the spelling errors and bad English and they click on the link, they'll be taken to a URL hosting a file named 'file_6.exe' which will infect the targeted machine with MarsJoke.

This sort of approach is different to many other types of ransomware -- including the widely-distributed Locky -- because it encourages users to click a link rather than download an infected document.

Researchers have chosen this name for the ransomware based on a string in the code which says 'HelloWorldItsJokeFromMars'.

Once a machine is infected, MarsJoke will encrypt files and also creates new files with names like !!! For Decrypt !!!.bat, !!! Readme For Decrypt !!!.txt, and ReadMeFilesDecrypt!!!.txt to create a file inform the victim their files have been encrypted and provide instructions on how to pay a ransom of 0.7 Bitcoins ($320); the untraceable nature of Bitcoin makes it a popular payment method for cybercriminals.

The victim's desktop background is also changed to tell them they've been infected and also features a timer ticking down from 96 hours, warning the user that if they don't pay within that time, all of their files will be permanently encrypted with MarsJoke.

The criminals also warn that any action taken to remove the ransomware without paying will result in the computer's files being lost forever. It's worth noting that the visual style of the ransom demand is very similar to that of the CTB-Locker ransomware family.


The visual style of MarsJoke mimics CTB-Locker

Image: Proofpoint

Like many schemes of this type, the criminals behind MarsJoke provide a 'help' service that instructs victims how to acquire the Bitcoin required in order to pay the ransom, as well offering the option to decrypt two files for free.

As MarsJoke is a new strain of ransomware, there's currently no means of decrypting files without paying the ransom. Proofpoint researchers suggest this variant isn't "just another ransomware" with a highly-sophisticated operation likely to be behind it.

The last majority of the MarsJoke emails target state and local government agencies, with schools also a major focus of the campaign. These sectors, particularly education, are likely to be hit because cybercriminals view them as an easy target, due to a lack of infrastructure and funding in place in order protect users. The ransomware is also targeting the healthcare, telecoms, and insurance sectors, although on a much smaller scale.


Editorial standards