Malware, Ransomware

MarsJoke ransomware distributed via Kelihos, targets U.S. state, fed gov’t agencies

Share

A large email campaign targeting state and local governments in the U.S. as well as educational institutions distributes a new ransomware called MarsJoke via the popular Kelihos botnet, Proofpoint researchers discovered. 

The distribution methods closely mirror those of CryptFile2, researchers wrote in a blog post. Emails sent to potential victims contain URLs that link to a "file_6.exe" executable file, representing “a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware,” the researchers wrote, calling the email body used by the messages “convincing” and noting that the subject lines that referenced a national airline added  “an air of legitimacy to the lures with stolen branding.”

Researchers gave the ransome its moniker after a string within its code that reads “HelloWorldItsJokeFromMars.” They noted that the ransomware visually “mimics the style of CTB-Locker, including the helper application displayed to the user and the onion portal.”

MarsJoke ransomware distributed via Kelihos, targets U.S. state, fed gov’t agencies

A large-scale email campaign was spotted distributing a new ransomware variant called MarsJoke.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.