MarsJoke targets Windows OS and is distributed via spam emails that use fraudulent branding from legitimate air carriers and shipping companies. This spam campaign primarily targets U.S. state and local government agencies, as well as educational institutions. Other targets include the healthcare, telecommunications, insurance, and technology. Subject lines include: Checking tracking number, Check your package, Check your TN, Check your tracking number, Tracking Information, and Track your package. These emails contain malicious links that, if clicked, download an executable file named file_6.exe to the victim’s system. Once the executable is launched, MarsJoke immediately begins to encrypt files, although it doesn’t change the file name or extension. Once the encryption process is complete, the victim’s desktop background is changed and a ransom note is displayed. MarsJoke threatens to delete the decryption key if the ransom is not paid within 96 hours. MarsJoke demands a ransom payment amount of 0.7 Bitcoin.

  • Proofpoint provides more information about MarsJoke here.
  • Kaspersky’s free decryption tool, Rannoh Decryptor, can now decrypt MarsJoke.