Security researchers from Kaspersky Lab’s anti-ransom team have released a MarsJoke Ransomware decryptor which can be downloaded free of charge from the Kaspersky website. The ransomware –also known as Polyglot – was being distributed in a large spam email campaign that was discovered by Proofpoint researchers on September 22. The victims were sent a malicious email containing a link that downloaded an executable file that installed the ransomware.
The ransomware was similar to CTB-Locker at first appearance. It used a similar desktop wallpaper to alert the victim to the infection and the ransomware also allowed the victim to decrypt five files without paying a ransom, again similar to CTB-Locker.
However, that is where the similarities ended. The ransomware authors appeared to have copied the style of CTB-Locker to fool victims and security researchers, although the code used for MarsJoke was different to that used for CTB-Locker.
After closely inspecting the code the security researchers found many flaws. It was therefore straightforward to develop a MarsJoke ransomware decryptor. According to Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn who have been working on cracking the encryption, one of the main flaws was with the key generator.
The keys to unlock the encryption are based on a random string of characters, although the generator of those keys was weak. This enabled the researchers to calculate all of the possible keys and develop a pseudo number generator. The generator can calculate the AES key for an infected file and doing so takes just a few minutes.
While this is certainly good news for anyone currently infected, it is unlikely that the MarsJoke Ransomware decryptor will work for very long. The authors of the ransomware will undoubtedly update their code and will fix the flaw, rendering the decryptor useless. For now at least, victims need not pay the ransom to unlock their files.