Ransomware Decryption Tool Releases

Wednesday, October 5, 2016 @ 11:10 AM gHale

A new ransomware decryption tool released to help with Polyglot.

The tool allows users suffering from this ransomware, also known as MarsJoke, to restore files, said researchers at Kaspersky Lab.

Ransomware Changes Extension
Ransomware Switches Attack Attachments
Awareness on Rise, Bad Habits Thrive
Few Deploy Network Segmentation

The Polyglot Trojan has been going out via spam emails containing a malicious attachment packed in a RAR-archive. During the encryption process, the Trojan does not change the names of the files on an infected machine, but it instead blocks access to them.

After encryption, the desktop wallpaper on a victim’s screen ends up replaced with the ransom demand. Attackers request their ransom in bitcoins, and if the payment does not happen in time, the Trojan will delete itself from the infected device leaving all files encrypted.

The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions required to obtain the decryption key, and the payment page, desktop Wallpaper all look the same, researchers said.

The Polyglot encryption mechanism uses a weak encryption key generator, researchers said. A brute-force search through the whole set of possible Polyglot decryption key variants can end up performed in less than a minute on a standard PC. Discovering this weakness allowed experts to develop a tool that can help to unlock users’ data.

Click here to download the decryption tool.