MarsJoke ransomware variant targets local and state governments


Written by

A recently discovered strain of ransomware dubbed MarsJoke is predominantly targeting local and state government officials by luring them to click on malware-laced download links that appear to offer nonexistent package tracking services.

The growingly popular scam, which was first discovered by cybersecurity researchers for Proofpoint, will encrypt a victim’s data and threaten to permanently encrypt files if an untraceable, bitcoin-based ransom payment of roughly $320 is not received within 96 hours.

Researchers decided to name the ransomware MarsJoke based on a string within the code that reads “HelloWorldItsJokeFromMars. ”

When clicked on, the malicious URL will redirect users to a website that launches a file download. Afterwards, the victim’s desktop background will change and be locked before several dialogue boxes pop up. A range of different language options are available to review the instructions, including English, Russian, Italian and Spanish.

The lock screen when a computer is infected with MarsJoke ransomware --image via Proofpoint blog
The lock screen when a computer is infected with MarsJoke ransomware –image via Proofpoint blog

MarsJoke is the latest in a longline of different ransomware variants that target government systems, hoping to extort money through threats of destroying valuable information.

MarsJoke, for example, shares a number of similarities with the widely known CryptFile2 campaign, another ransomware scheme which offered fake airline ticket discounts and coupons. Both MarsJoke and CryptFile2 boasted well-crafted email bodies, that includes stolen branding used by legitimate businesses, to appear legitimate.

The third most common target for MarsJoke after local and state government offices is K-12 educational institutions.

Though the government and education sectors are not widely considered to be extensively threatened by ransomware, recently released research report by security ratings firm BitSight found the education sector to be highly targeted by ransomware campaign.

“Although patient data makes healthcare organizations a prime target for ransomware attacks, other industries are [also] … on a cyber criminal’s radar,” the BitSight report reads, “Intellectual property, classified government documents, and private financial data are just some of the types of records that cyber criminals may pursue within other industries.”

Researchers believe that MarsJoke is not “just another ransomware” variant, but rather a highly sophisticated operations orchestrated by a well-resourced criminal group.