Skip to content ↓ | Skip to navigation ↓

MarsJoke ransomware once posed a serious threat to users, but not as much now that researchers released a decryption tool.

Kaspersky Lab’s Anton Ivanov, Orkhan Mamedov, Fedor Sinitsyn said they created the decryptor by exploiting a flaw in the ransomware’s code. Specifically, MarsJoke uses a function “rand()” to randomly generate an array of characters. That array serves as the basis for a particular infection’s encryption keys.

marsjoke cryptor
Source: Kaspersky Lab

But as the researchers explain in a blog post, the ransomware didn’t seize on the whole output of rand(), a decision which made the encryption key much easier to crack:

“Please note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder of dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC.”

Not only that, but researchers also found that the key used to encrypt a password-protected file in which a user’s files were stored was only four characters long.


By knowing the positions of each of the four characters, they could unpack the archive and help users regain access to their files.

That’s exactly what they did with the release of their updated RannohDecryptor utility. Now anyone who’s affected by the ransomware can decrypt their files for free.

MarsJoke, also known as Polygot, first made news back in mid-September when researchers at Proofpoint spotted the ransomware targeting government agencies and educational institutions, among other organizations.

Vertical targeting by indexed message volume (Source: Proofpoint)

Those analyzing the ransomware noticed MarsJoke closely mimics the look and feel of CTB-Locker, another form of crypto-malware.

Kaspersky Lab’s researchers have since determined malware authors developed MarsJoke independently of CTB-Locker and that the two ransomware strains don’t share any code.

For tips on how to protect against a MarsJoke infection, please view our ransomware prevention tips here.

You can also learn more about ransomware in general here.

cyber ebook