October 3, 2016

Kaspersky Lab Releases Decryption Tool for Polyglot Ransomware That Disguises Itself as CTB-Locker

Users who have suffered from Polyglot ransomware, also known as MarsJoke, can now restore their files with the decryption tool developed by Kaspersky Lab.

Woburn, MA – October 3, 2016 –Kaspersky Lab announced today that users who have suffered from Polyglot ransomware, also known as MarsJoke, can now restore their files with the decryption tool developed by Kaspersky Lab experts.

The Polyglot Trojan has been propagating via spam emails containing a malicious attachment packed in a RAR-archive. During the encryption process, the Trojan does not change the names of the files on an infected machine, but it instead blocks access to them. After the encryption is completed, the desktop wallpaper on a victim’s screen is replaced with the ransom demand. The fraudsters request their ransom in bitcoins, and if the payment does not happen in time, the Trojan will delete itself from the infected device leaving all files encrypted.

This new ransomware looks similar to the infamous CTB-Locker ransomware; however, after proper analysis, Kaspersky Lab experts haven't found any similarities between their malware codes. The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions are required to obtain the decryption key, and the payment page, desktop Wallpaper, etc. all look the same. The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users, and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals.

Kaspersky Lab experts have carefully examined the Polyglot encryption mechanism and found that unlike CTB-Locker it uses a weak encryption key generator. A brute-force search through the whole set of possible Polyglot decryption key variants can be performed in less than a minute on a standard PC. Discovering this weakness allowed Kaspersky Lab experts to develop a tool that can help to unlock users’ data.

“This case teaches us to never give up: ransomware has become a serious problem for all users, but sometimes a solution can be found,” said Anton Ivanov, senior malware analyst, Kaspersky Lab. “In this case the malware authors made an implementation mistake, making it possible to break the encryption. However, users should not rely only on luck when it comes to ransomware. This case is the exception rather than the rule, therefore we recommend all users to protect their devices proactively by using a reliable security solution and making sure all anti-encryption technologies are switched on.”

Kaspersky Lab detects this ransomware as Trojan-Ransom.Win32.Polyglot and PDM:Trojan.Win32.Generic. Read the detailed blogpost on Securelist.com to learn more about the technical specifications of this Trojan.

More decryption tools are available on the No More Ransom website. The No More Ransom project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and Intel Security. Its primary goal is to help the victims of ransomware retrieve their encrypted data without having to pay the criminals.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.

Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit: Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact:
Jennifer Wood