Security News MarsJoke Launches a New Ransomware Approach

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Women are from Venus and malware is from…Mars? Maybe: A new type of ransomware has appeared in orbit, dubbed MarsJoke.

Its name is based on a string contained within the code: “HelloWorldItsJokeFromMars.” Presumably of Earth origin, it’s also no joke. MarsJoke is mounting a large-scale email campaign to target primarily state and local government agencies and educational institutions in the United States. Once infected, victims have 96 hours to submit the ransom of 0.7 BTC (currently around $320) before files are deleted.

“Ransomware has become a billion dollar a year industry for cyber-criminals,” Proofpoint researchers said, in a blog. “In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.”

Proofpoint researchers said that this is very similar to CryptFile2 campaigns, while visually, it mimics the style of CTB-Locker. The similarities point to the conclusion that a well-known botnet, Kelihos, is responsible for distributing the spam.

On September 22, Proofpoint detected the email campaign, which is using a variety of subject lines referencing a major national air carrier and package-tracking (adding an air of legitimacy to the lures with stolen branding). The emails contained URLs linking to an executable file named "file_6.exe" hosted on various sites with recently registered domains.

“This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware,” the researchers said.

While the campaign is primarily aimed at state and local government agencies, followed by K-12 educational institutions, messages also came through in smaller numbers for healthcare, telecommunications, insurance and several other verticals.

Full Article. http://www.infosecurity-magazine.com/news/marsjoke-launches-a-new-ransomware/
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
No serious backup plan = welcome ransomware, advanced or not, there is no really difference.
ransomware usually adds a special file ending to each encrypted file -- correct?
So synced cloud storage should be adequate protection, because if the encrypted file has a new name, it won't overwrite the old, unencrypted file.
Please correct me if I am making a mistake about this.
 

Mike Forgione

Level 1
Apr 2, 2016
6
Not necessarily. If it is a differential type backup, it may see it as a change to the file and sync that file name to replace it. You may want to look to find out if your cloud backup allows for versioning. This way if it does overwrite a file, you can roll it back like shadow copies on windows.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Not necessarily. If it is a differential type backup, it may see it as a change to the file and sync that file name to replace it. You may want to look to find out if your cloud backup allows for versioning. This way if it does overwrite a file, you can roll it back like shadow copies on windows.
In my experience, dropbox and onedrive will see a changed file ending as a different file.
for instance, if you change a file from .doc to .docx, it will see it as two different files.
 

Mike Forgione

Level 1
Apr 2, 2016
6
You are probably right. They are technically to different files. Now I want to test it and see if there is the possibility of it overwriting the original. The reason for this is if it doesn't see the original, which it won't, it may handle it as if you deleted the file so it removes the copy from the cloud.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
If it doesn't see the original, which it won't, it may handle it as if you deleted the file so it removes the copy from the cloud.
Ah, now I think you are on to the problem. that makes sense. You will have to go and retrieve everything from the cloud trash bin, which can be a messy and time-consuming business.
 
L

LabZero

ransomware usually adds a special file ending to each encrypted file -- correct?
So synced cloud storage should be adequate protection, because if the encrypted file has a new name, it won't overwrite the old, unencrypted file.
Please correct me if I am making a mistake about this.
The latest ransomware variants can encrypt even the file in the local network (and therefore also the files that are stored on other workstations, or NAS server).
If a folder is shared on the local network, then accessible from the infected system, it is highly likely that the ransomware starts to encrypt also the content of these resources.
Also, if a folder is shared or synchronized on the cloud (for example OneDrive, Dropbox or Google Drive) and is accessible from the Windows interface via Windows Explorer, the ransomware can encrypts the data saved in the cloud.

However, cloud services (above) have functionality to access the stored files history: this means that usually you can retrieve the previous versions of the (not encrypted) files.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
cloud services (above) have functionality to access the stored files history: this means that usually you can retrieve the previous versions of the (not encrypted) files.
it's not so practical if you have thousands of files to retrieve previous versions of each one.
 
  • Like
Reactions: DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top