Threat Database Ransomware JokeFromMars Ransomware

JokeFromMars Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 41
First Seen: September 20, 2016
Last Seen: April 27, 2023
OS(es) Affected: Windows

The JokeFromMars Ransomware is a ransomware Trojan that may be a variant of CTB-Locker, a known ransomware Trojan that has been responsible for numerous attacks in the last year. Like other ransomware Trojans, the JokeFromMars Ransomware is designed to encrypt its victims' files, to demand the payment of a ransom through text files named 'ReadMeFilesDecrypt!!!.txt' and a ransom note displayed as a pop-up window and as a new Desktop wallpaper image. According to the JokeFromMars Ransomware, victims of the attack must pay 1.1 BitCoin (about $600 USD) within 96 hours to recover the encrypted files. Otherwise, they will be lost forever. The JokeFromMars Ransomware allows victims to decrypt up to five small files to demonstrate that they do in fact have the means to recover the victim's files. PC security analysts strongly advise computer users to avoid paying the JokeFromMars Ransomware ransom. First of all, paying the JokeFromMars Ransomware ransom simply enables these people to continue carrying out these attacks. Apart from this, these con artists cannot be trusted to keep their word; it is common for victims to pay a ransom only to find that they are being asked for more money or received no help at all.

How to Recover from a JokeFromMars Ransomware Attack

Unfortunately, there is currently no method to decrypt the files that have been encrypted by using the JokeFromMars Ransomware. Because of this, the best way to recover from a the JokeFromMars Ransomware attack is to restore the encrypted files from a backup copy. In fact, if all computer users make it a priority to ensure that all of their files are properly backed up, then these attacks would surely stop since the extortionists would have absolutely no leverage to demand ransoms from their victims.

The Joke that No One will Enjoy

The JokeFromMars Ransomware is very similar to numerous other ransomware Trojans. The most common way in which the JokeFromMars Ransomware is distributed is through the use of email attachments, commonly contained in corrupted spam email messages, which may use some social engineering tactic to induce inexperienced PC users into opening the attached file. Threats like the JokeFromMars Ransomware may be distributed on peer-to-peer file networks disguised as popular downloads.

The following is the ransom note that the JokeFromMars Ransomware uses to demand payment from its victims:

Your personal files are encrypted !!!
Your documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key. If you see the main locker window follow the instructions on the locker. Otherwise, it's seems that you or you antivirus deleted the locker program. Now you have the last chance to decrypt your files;
Open site hxxp://rd7v7mhidgrulwqg.onion.link or hxxp://rd7v7mhidgrulwqg.torlink.co or hxxp://rd7v7mhidgrulwqg.onion.to in your browser. They are public gates to the secret server.
If you have problems with gates, use direct connection:
1.Download Tor Browser from hxxp://torproject.org/
2.In the Tor Browser open the rd7v7mhidgrulwqg.onion
Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable.
3.Copy and paste the following public key in the input form on server. Avoid misprints.
7B4E8A-A0C141-43B58C-674143-269A32-E0WPXP
BYKCAY-BZBYNW-BYKCAY-CZCLEN-NPMPMW-PNXSEM
0F065F-78F599-78E59C-4FBC7E-3423D5-1A9390
4.Follow the instructions on the server.
These instructions are also saved to the file named ReadMeFilesDecrypt!!!.txt in Documents folder. You can open it and use copy-paste for address and key.

This text appears in pop-up messages that have been linked to the JokeFromMars Ransomware infection:

Your personal files are encrypted !!!
Your documents, scripts,photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key.
You only have 96 hours to submit the payment. If you do not send money within provided time, all your files will be permanently crypted and no one will be able to recovery them.
Press 'View' to view the list of files that have been encrypted.
Press 'Next' to connect to the secret server and follow instructions.
WARNING! DO NOT TRY TO GET RID OF THE PROGRAMM YOURSELF. ANY ACTION TAKEN WILL RESULT IN DECRYPTION KEY BEING DESTROYED. YOU WILL LOSE YOUR FILES FOREVER. ONLY WAY TO KEEP YOUR FILES IS TO FOLLOW THE INSTRUCTION.

The pop-up window that instructs victims to decrypt up to five files for free reads as:

To make sure that decryption is possible you are allowed to decrypt up to 5 random files for free.
Press 'Search'. Program will scan your disks and decrypt several files.
Press 'Next' to connect to the secret server and decrypt all files.
Press 'Back' to go to the first page.

Below is the message containing the payment information for the JokeFromMars Ransomware:

1.Pay amount of 1.1 BTC (about of 502.83 USD) to address: 3NTf83A3cfPPU3anWioSTYdgRSi2YMhcsxThis address within the Bitcoin payment system. It is created individually for you and charge you only the key to it. Do not pay to other addresses.
2.Transaction will take about 15-30 minutes to confirm.
If you paid press 'Retry'
Decryption will start automatically. Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.
If you have no Bitcoins press 'Exchange.'

Trending

Most Viewed

Loading...