Polyglot ransomware decryption tool released

Kaspersky Lab experts have released a Polyglot ransomware decryption tool, which enables users who have suffered from this ransomware, also known as MarsJoke, to restore their files.

Trojan propagation

The Polyglot Trojan has been propagating via spam emails containing a malicious attachment packed in a RAR-archive. During the encryption process, the Trojan does not change the names of the files on an infected machine, but it instead blocks access to them.

After the encryption is completed, the desktop wallpaper on a victim’s screen is replaced with the ransom demand. The fraudsters request their ransom in bitcoins, and if the payment does not happen in time, the Trojan will delete itself from the infected device leaving all files encrypted.

Mimicking CTB-Locker

This new ransomware looks similar to the infamous CTB-Locker ransomware. However, after proper analysis, Kaspersky Lab experts haven’t found any similarities between their malware codes.

The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions are required to obtain the decryption key, and the payment page, desktop Wallpaper, etc. all look the same. The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users, and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals.

Experts have carefully examined the Polyglot encryption mechanism and found that unlike CTB-Locker it uses a weak encryption key generator. A brute-force search through the whole set of possible Polyglot decryption key variants can be performed in less than a minute on a standard PC. Discovering this weakness allowed experts to develop a tool that can help to unlock users’ data.

“This case teaches us to never give up: ransomware has become a serious problem for all users, but sometimes a solution can be found,” said Anton Ivanov, senior malware analyst, Kaspersky Lab. “In this case the malware authors made an implementation mistake, making it possible to break the encryption. However, users should not rely only on luck when it comes to ransomware. This case is the exception rather than the rule, therefore we recommend all users to protect their devices proactively by using a reliable security solution and making sure all anti-encryption technologies are switched on.”

Polyglot ransomware decryption tool download

The decryption tool is available here. More decryption tools are available on the No More Ransom project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and Intel Security. Its primary goal is to help the victims of ransomware retrieve their encrypted data without having to pay the criminals.