Cyber criminals are using the Kelihos botnet to extort Bitcoin payments out of the ransomware’s victims
Ransomware targeting US government agencies and education institutions, has been discovered by cyber security researchers from Proofpoint.
Dubbed MarsJoke, the ransomware was uncovered in late August and found to be hiding behind email that convincingly resembled those from a major yet unnamed national US airline.
“This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware,” the researchers said.
“The messages in this campaign used a convincing email body and had a variety of Subject lines referencing a major national air carrier, adding an air of legitimacy to the lures with stolen branding.”
The ransomware appears to have used Kelihos, a well-known botnet, for its distribution and spreads an email to its victims about a tracked parcel from the airline carrier prompting them to click on a link in the email to track the parcel.
Once the victims do this they are taken to a malicious URL which infects the victim’s computer with the MarsJoke ransomware. Once infected, files on the target machine get encrypted and files are created with names such as “ReadMeFilesDecrypt!!!.tx” as a means to alert victims that their machine has been infected.
The user’s desktop is also changed to display a message declaring the victim’s personal files are encrypted and they have 96 hours to submit a Bitcoin payment otherwise the filed will remain encrypted indefinitely.
Victims are also warned not to try and remove the ransomware otherwise the decryption key will be lost. As step-by-step guide is provided to instruct the victims on how to pay the cyber criminals.
Proofpoint’s researchers said MarsJoke is no ordinary ransomware and appears to be backed up by a capable cyber criminal operation.
It is worth noting however, the sample emails provided by Proofpoint were littered with errors that should server as a warning to victims that they may have not come from a legitimate source. Nevertheless, the ransomware appears to have the potential to wreak havoc on its victims, particularly when they are part of the public sector.
“Educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections,” Proofpoint said.
Ransomware in an increasing problem, with ever more sophisticated scams able to befuddle the less technical savvy targets. In the US, ransomware has forced hospitals to payout $100,000 to cyber criminals who appear to lack even a shred of common decency or conscience.