MarsJoke Ransomware Targets State And Local Government Agencies

In a new blog post researchers from Proofpoint detail their discovery of the MarsJoke ransomware, which is targeting state and local government agencies and educational institutions in the United States.

Proofpoint researchers originally spotted the MarsJoke ransomware in late August by trawling through their repository of unknown malware. However, beginning on September 22, 2016, they detected the first large-scale email campaign distributing MarsJoke.

The full blog post announcing Proofpoint’s discovery can be found here, however key takeouts include:

  • Proofpoint detected a large MarsJoke ransomware email campaign. Emails contained URLs linking to an executable file named “file_6.exe” hosted on various sites with recently registered domains, apparently for the purpose of supporting this campaign. This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware. The messages in this campaign used a convincing email body and had a variety of Subject lines referencing a major national air carrier, adding an air of legitimacy to the lures with stolen branding.
  • To alert victims that they are infected and their files are encrypted, this ransomware creates “!!! For Decrypt !!!.bat”, “!!! Readme For Decrypt !!!.txt”, and “ReadMeFilesDecrypt!!!.txt” files sprinkled throughout the victim’s file system, similar to many other types of ransomware.
  • Ransomware has become a billion dollar a year industry for cybercriminals. In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections. MarsJoke does not appear to be “just another ransomware,” though. The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims.

[su_box title=”About Proofpoint Inc.” style=”noise” box_color=”#336588″][short_info id=’60344′ desc=”true” all=”false”][/su_box]