Wasted: Kaspersky makes jokers of upstart ransomware VXers

Kaspersky has released a decryption tool that neuters the MarsJoke ransomware, less than a month after it was first revealed.

The decryption effort is salvation for victims who are told they have 96 hours to pay the 0.7 Bitcoin (US$427) ransom before their data is permanently encrypted.

MarsJoke, also known as Polyglot, spreads through spam bearing compressed .rar attachments.

When executed the ransomware encrypts files and demands payment before the trojan deletes itself and decryption is no longer possible.

Kaspersky says while MarsJoke bears the iconography of the polished and well-known CTB-Locker ransomware, including the same payment processes, wallpapers, and landing pages, it's code is of poor quality.

"The Polyglot ransomware mimics CTB-Locker in nearly every way," researchers say.

"The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users, and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals.

"... after proper analysis, Kaspersky Lab experts haven't found any similarities between their malware codes."

Kaspersky Lab senior malware analyst Anton Ivanov says the MarsJoke authors made an unspecified implementation error allowing the white hats to lay waste to the net menace.

Many ransomware upstarts have been trashed thanks to borked encryption implementation mistakes which are exploited by white hat researchers.

Others make the devastating mistake of rolling their own dodgy encryption schemes, while the laziest VXers simply try to scare users into paying for decryption keys already hardcoded into ransomware code.

The anti-ransomware effort has been formalised into the NoMoreRansom alliance which unifies a formerly scattered and silo-ed, but furious effort by malware researchers to lay ruin to scores of ransomware variants, leaving a scant few including the latest Cryptxxx and Cryptowall unbroken.

Researchers recently scalped the Wildfire ransomware uploading more than 1600 decryption keys to the initiative.

Victims who cannot decrypt their ransomware infections should also try Trend Micro's continually updated decryption tool.

Criminals can net a conservative us$84,000 a month slinging ransomware for an investment of $6000, a whopping 1425 per cent profit margin, trustwave found last year.

The MarsJoke decryption tool can be downloaded from Kasperksy. ®