Security experts identified an ongoing spam email campaign that is infected by the MarsJoke ransomware delivered via the Kelihos botnet. The targets are American Government agencies and state institutions.
MarsJoke Points Guns at USA Institutions
Security exerts have spotted a new malicious email campaign that targets American local and state government institutions and education facilities with the MarsJoke ransomware. The threat is being powered by the Kelihos botnet.
The emails are distributed in a standard manner. The messages contain malicious links that link to a malware executable file. The attackers pose as legitimate messages from airlines and the first attacks using the ransomware began on the 22nd of September.
Some of the subject lines include the following:
- Checking tracking number
- Check your package
- Check your TN
- Check your tracking number
- Tracking information
- Track your package
The ransomware mimicks visually CTB-Locker and other notable threats. MarsJoke encrypts the victim user files upon execution and seeks the sum of 0.7 Bitcoins as ransom. A time limit of 96 hours is also activated.
The ransomware comes with its own helper application which displays the ransomware notification and can access the Onion portal on the TOR network.
The following files are created on the victim’s machine:
C:\$Recycle.Bin\!!! For Decrypt !!!.bat
C:\$Recycle.Bin\!!! Readme for Decrypt !!!.txt
C:\Documents and Settings\!!! For Decrypt !!!.bat
C:\Documents and Settings\!!! Readme for Decrypt !!!.txt
C:\PerfLogs\!!! For Decrypt !!!.bat
C:\Program Files\!!! For Decrypt !!!.bat
C:\Program Files\!!! Readme For Decrypt !!!.txt
The encrypted user files retain their original file extensions. Temporary files are used during the encryption process with the extensions .19 and .apt19.
The Desktop background is changed with the ransomware notification message displayed in English, Russian, Italian, Spanish and Ukrainian.
This is a whole new strain of ransomware that is not based on any other code. A decryptor is not yet available.