A large email campaign targeting state and local governments in the U.S. as well as educational institutions distributes a new ransomware called MarsJoke via the popular Kelihos botnet, Proofpoint researchers discovered.
The distribution methods closely mirror those of CryptFile2, researchers wrote in a blog post. Emails sent to potential victims contain URLs that link to a "file_6.exe" executable file, representing “a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware,” the researchers wrote, calling the email body used by the messages “convincing” and noting that the subject lines that referenced a national airline added “an air of legitimacy to the lures with stolen branding.”
Researchers gave the ransome its moniker after a string within its code that reads “HelloWorldItsJokeFromMars.” They noted that the ransomware visually “mimics the style of CTB-Locker, including the helper application displayed to the user and the onion portal.”