The recently discovered MarsJoke ransomware has a encryption weakness that has allowed Kaspersky Lab security researchers to create a decryptor and help users restore their files for free.
Spotted for the first time in late August, the ransomware family gained attention last week, when the first large-scale spam distribution campaign was spotted. Dubbed MarsJoke, but also referred to as Polyglot, the malware was found to copy the previously established CTB-Locker ransomware and to target mainly government agencies and educational institutions.
MarsJoke/Polyglot is being distributed through spam emails that link to a malicious file, either an executable or a RAR archive (which contains cryptor’s executable code). Immediately after infection, the ransomware appears to be doing nothing, but it actually copies itself to multiple locations, while also writing itself to the autostart folder and to TaskScheduler.
During the encryption process, the malware doesn’t change the name of encrypted files, but makes their content inaccessible to the user. After encrypting victim’s files, the malware changes the desktop wallpaper with an image unique to each victim, and displays a ransom message. It also allows the victim to decrypt several files for free, Kaspersky Lab researchers explain.
Users are told to pay the ransom in Bitcoin and the ransomware contacts the command and control (C&C) server located on the Tor network to retrieve information about the ransom amount and the Bitcoin address the payment should be made to. If the payment isn’t made within a specific time frame, the malware notifies the user that the files can no longer be decrypted.
While analyzing the threat, the security researchers observed that it mimics all of the features CTB-Locker had, including graphical interface window, language switch, encryption algorithms, sequence of actions for requesting the encryption key, payment page, and desktop wallpapers. However, the two don’t share code, as MarsJoke/Polyglot was developed independently from CTB-Locker, Kaspersky Lab researchers say.
Further analysis revealed that the malware performs a three-stage encryption: it places the file in a password-protected ZIP archive named as the original file but having the “a19” extension; encrypts the archive with the AES-256-ECB algorithm and changes the extension to “ap19”; deletes the original file and the a19 archive and changes the “ap19” extension to that of the original file.
The ransomware generates a separate AES key for each file, and each of the generated keys is based on a randomly generated array of characters. Because the strength of the keys is determined by the generator’s strength, weakened implementation of the generator has resulted in easy to find keys.
“Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC,” Kaspersky’s researchers explain. “Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.”
Although the resulting file is a password-protected archive, the security researchers discovered that the password protecting it is weak as well. The key is only 4 bytes and those bytes were selected from the string MachineGuid, which is the unique ID that the operating system assigns to the computer. “If we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive,” the researchers reveal.
Decryption capabilities for the MarsJoke/Polyglot ransomware have been already included in Kaspersky Lab’s free utility dubbed RannohDecryptor. Just over a month ago, the security researchers managed to break the encryption of the Wildfire ransomware and made a decryptor available through the No More Ransom Project.