14 DAY TRIAL // For the present time, victims of the MarsJoke ransomware can recover their files using a decrypter created by the security experts at Kaspersky Lab, available for download for free.
MarsJoke ransomware, also known as JokeFromMars or Polyglot, is a ransomware variant that first appeared two weeks ago, spread by malicious spam emails, and with a focus on the government and K-12 educational sector.
The ransomware has been fairly active and has caught the eye of several independent security researchers, but also employees of big security vendors such as Proofpoint and Kaspersky.
MarsJoke decrypter available for download
The latter announced today that they've managed to identify a weakness in the ransomware's encryption routine that they used to create a free decrypter, which they're now providing as a free download from their site (as the RannohDecryptor tool).
Kaspersky Lab experts warn that this decrypter only works for the ransomware's current versions and that future iterations may not exhibit the same issue that permits the decrypter to recover the encryption keys.
Researchers cite previous incidents involving the CryptXXX ransomware, for which Kaspersky experts broke the encryption three times and created free decrypters, but in the end, CryptXXX's authors identified the encryption bug and fixed it for good.
MarsJoke encryption flaw resides in the key generator code
Malware analysts that took a closer look at MarsJoke ransomware have said that the ransomware appears to be the work of a talented coder.
Despite this, its creators have spent a great deal of effort into creating a visual style almost identical with the CTB-Locker ransomware, which even after a few years, is still undecryptable, even today.
"Despite the apparent similarities between Polyglot and CTB-Locker, they are two completely different malware species. They share almost no code," Kaspersky explained yesterday. "Our experts think that by mimicking CTB-Locker’s looks, Polyglot’s creators were trying to put researchers on the wrong track."
According to Kaspersky, the MarsJoke author made a mistake in the ransomware's module that generates the encryption keys. This error allowed researchers to create the decrypter.
For now, MarsJoke ransomware victims can enjoy a happy ending. If the ransomware is updated on a regular basis, expect the decrypter to stop working in the following weeks.
