Marozka Ransomware
The Marozka Ransomware is file cryptor Trojan that was recognized on March 30th, 2019. The Marozka Ransomware is a Trojan that is derived from the HiddenTear open-source Ransomware. A particularly interesting message that Marozka Ransomware carries is that it is a joint project of English and Russian hackers. The threat is distributed via "traditional" means — spam emails and macro-enabled text files. The Marozka Ransomware is observed to change the user's desktop and show symbols associated with the USA's culture and the socialism thought model in the Russian Federation. Apart from the visual cues and ransom message employed by the Marozka Ransomware, there’s no definitive proof regarding who is behind the ransomware. The Marozka Ransomware is programmed to encode targeted data like images, audio recordings, video materials, office documents, databases, and eBook libraries by using a custom AES cipher. For example, 'The Book of Tobit.epub' is renamed to 'The Book of Tobit.epub.marozka' and the ransom message is shown as 'HOW TO DECRYPT FILES.txt,' which is listed below:
'All your information (documents, databases, backups and other files) this computer was encrypted using the most cryptographic algorithms.
All encrypted files are formatted .Marozka.
This form files '.Marozka' is a joint development ENGLISH and RUSSIAN Hackers.
You can only recover files using a decryptor and password, which, in turn, only we know.
It is impossible to pick it up.
Reinstalling the OS will not change anything.
No system administrator in the world can solve this problem without knowing the password
In no case do not modify the files! But if you want, then make a backup.
Drop us an email at the address silena.berillo@gmail.com
if within 12 hours you do not respond to hto2018@yandex.ru for further insertions
You have 24 hours left. If they are not decrypted then after 24 hours they will be removed!!!
You can also decrypt files automatically on our website
https://proverka.host'
The decryption key is sent to the Marozka Ransomware team via an encrypted connection and a decryptor is said to be provided via two email accounts that you can see above. The threat actors appear to demand payment of 100 USD via Bitcoin to their wallet address — 1NKtjyNax9cQuMYxLXfHWEKwRHac6gTeHc. They even created a payment-processing site hosted at https://proverka.host where users can decrypt one file for free and pay the ransom. A closer look at the bottom section of the landing page at https://proverka.host reveals that the makers of the Marozka Ransomware are interested in selling its source-code to interested parties.
You should not seek to pay money to the Marozka Ransomware team, and you should avoid contact with 'hto2018@yandex.ru' and 'silena.berillo@gmail.com.' A hundred dollars might seem like an acceptable price for a decryptor, but you will be funding the development of new versions of the Marozka Ransomware to join an already saturated crypto-threat landscape. It is recommended to use data backups and cloud storage services when you attempt to recover your data. Removing the Marozka Ransomware should be considered a priority, and you may want to use a credible security tool. Detection names for the Marozka Ransomware can be found below this article:
Generic.Ransom.Hiddentear.A.8153C9A4
HEUR/QVM03.0.2E55.Malware.Gen
Malware/Win32.Generic.C1020407
Troj/Cryptear-A
Trojan ( 004cd9e31 )
Trojan.Agent!T3Nzg1Y96H8
Trojan.Encoder.10598
Trojan.Ransom.HiddenTear
Trojan[Ransom]/MSIL.Ryzerlo
W32/Ransom.IQ.gen!Eldorado
a variant of MSIL/Filecoder.Z
