MarsJoke Ransomware Campaign Discovered: K12 Schools Targeted

A massive spam email campaign was launched this week to spread MarsJoke Ransomware, a relatively new ransomware variant that was first discovered by Proofpoint researcher Darien Huss in August this year.

Spam emails are often sent out randomly by cybercriminal gangs in the hope that some end users will open the emails and infect their computers. However, the gang behind this campaign is targeting government organizations and K12 educational institutions, and to a lesser extent, healthcare organizations and companies in the telecommunication sector.

MarsJoke Ransomware was initially sent out in small campaigns in August using the Kelihos botnet. Security researchers noticed that the Kelihos botnet had been growing in size over the summer and that operations had been changed from conducting pharmaceutical spam campaigns to delivering ransomware and banking Trojans. The initial campaigns appeared to be tests. Now a massive campaign has been launched.

The spam emails appear to have been sent by well-known airlines, claiming a package has been dispatched. The emails also contain a link to allow the recipient to track their package. The emails use convincing imagery and appear genuine, although one of the emails captured by Proofpoint contained spelling mistakes and grammatical errors suggesting the email was not genuine. Even so, many recipients are likely to fall for the campaign. Clicking the link downloads an executable file, which if run, will install the ransomware.

Once infected, a wide range of file types will be locked with AES-256 encryption. The desktop wallpaper is replaced with a ransom note and instructions for paying the ransom are downloaded to the desktop. Victims are given 96 hours to make the ransom payment of 0.7 Bitcoin – around $320 – to obtain the key to decrypt files. If the time limit is exceeded, or if the user attempts to decrypt files without paying, the attackers say they will delete the decryption keys.

At present there is no decrypter available to recover files locked with MarsJoke ransomware. If files are encrypted, victims have two options for recovering data: Restoring encrypted files from backups or paying the ransom demand.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of