MarsJoke: the cryptor and the cure

Polyglot, aka MarsJoke, had aspirations. It was trying to be the next CTB-Locker — but we developed a cure.

Every day, new versions and variations of ransomware pop up. Malware creators are still sure that ransomware is their ticket to easy street, despite the fact that law enforcement agencies are paying more and more attention to the problem.

MarsJoke: the cryptor and the cure

In fact, so many different versions are out there, ransomware creators have started to repeat themselves or copy the work of others. For example, the recently discovered Trojan-cryptor Polyglot, aka MarsJoke, is a knockoff of the infamous (and rather nasty) CTB-Locker ransomware.

You can see traces of CTB-Locker all over Polyglot. Its interface is absurdly reminiscent of the older Trojan. It changes victims’ desktop wallpaper the same way and, just like CTB-Locker, it lets victims decrypt five files free as proof that they can be decrypted.

Polyglot’s instructions to victims are also identical to those of CTB-Locker — the text looks to have been copied and pasted. Even the “Request failed” window that pops up in case there is no Internet connection looks the same.

MarsJoke: the cryptor and the cure

The encryption algorithms Polyglot uses are also the same — and they are rather strong.

Polyglot is delivered mostly through spam — the letters contain malicious links allegedly leading to some important documents. Of course, there are no documents — just an archive with a malicious executable file. Once installed, Polyglot connects to its command-and-control sever to send information about the infected PC and handle the ransom. In our case, it demanded 0.7 bitcoins, which is about $320.

Perhaps the only visual discrepancy between CTB-Locker and its new clone is that MarsJoke/Polyglot leaves the encrypted files with their original extensions, whereas CTB-Locker changed the extension — usually to .ctbl or .ctb2.

Despite the apparent similarities between Polyglot and CTB-Locker, they are two completely different malware species. They share almost no code. Our experts think that by mimicking CTB-Locker’s looks, Polyglot’s creators were trying to put researchers on the wrong track.

MarsJoke: the cryptor and the cure

Fortunately, Polyglot’s creator made a mistake with the key generator, which made it possible for Kaspersky Lab’s researchers to come up with a free decryptor

As you may know, there is no known way to decrypt files encrypted by CTB-Locker without paying the ransom. But again, Polyglot and CTB-Locker are not the same under the hood. And fortunately, Polyglot’s creator made a mistake with the key generator, and that made it possible for Kaspersky Lab’s researchers to come up with a cure — a free utility that can decrypt all of the damaged files.

To decrypt the files encrypted by Polyglot/MarsJoke, download and install the free RannohDecryptor utility (version or newer) from It will restore your files.

Truth be told, we got lucky with Polyglot/MarsJoke. Malware creators are constantly adapting and improving their creations. For example, after we solved CryptXXX three times, its creator finally tuned the encryption algorithm such that our utilities could not handle it. Maybe Polyglot’s creator will manage the same feat. Bottom line: You can’t rely on a decryption utility being available for any ransomware you might encounter.

The best way to stay safe from ransomware is to catch it before it starts doing anything. And that is what good antivirus solutions — like Kaspersky Internet Security — do.

To be on the safe side, we also recommend that you back up your data frequently and avoid opening suspicious attachments or clicking on suspicious links.