You can see traces of CTB-Locker all over Polyglot. Its interface is absurdly reminiscent of the older Trojan. It changes victims\u2019 desktop wallpaper the same way and, just like CTB-Locker, it lets victims decrypt five files free as proof that they can be decrypted.<\/p>\n
Polyglot\u2019s instructions to victims are also identical to those of CTB-Locker \u2014 the text looks to have been copied and pasted. Even the \u201cRequest failed\u201d window that pops up in case there is no Internet connection looks the same.<\/p>\n
The encryption algorithms Polyglot uses are also the same \u2014 and they are rather strong.<\/p>\n Polyglot is delivered mostly through spam \u2014 the letters contain malicious links allegedly leading to some important documents. Of course, there are no documents \u2014 just an archive with a malicious executable file. Once installed, Polyglot connects to its command-and-control sever to send information about the infected PC and handle the ransom. In our case, it demanded 0.7 bitcoins, which is about $320.<\/p>\n Perhaps the only visual discrepancy between CTB-Locker and its new clone is that MarsJoke\/Polyglot leaves the encrypted files with their original extensions, whereas CTB-Locker changed the extension \u2014 usually to .ctbl or .ctb2.<\/p>\n Despite the apparent similarities between Polyglot and CTB-Locker, they are two completely different malware species. They share almost no code. Our experts think that by mimicking CTB-Locker\u2019s looks, Polyglot\u2019s creators were trying to put researchers on the wrong track.<\/p>\n As you may know, there is no known way to decrypt files encrypted by CTB-Locker without paying the ransom. But again, Polyglot and CTB-Locker are not the same under the hood. And fortunately, Polyglot\u2019s creator made a mistake with the key generator, and that made it possible for Kaspersky Lab\u2019s researchers to come up with a cure \u2014 a free utility that can decrypt all of the damaged files.<\/p>\n To decrypt the files encrypted by Polyglot\/MarsJoke, download and install the free RannohDecryptor utility (version 1.9.3.0 or newer) from noransom.kaspersky.com<\/a>. It will restore your files.<\/p>\n Truth be told, we got lucky with Polyglot\/MarsJoke. Malware creators are constantly adapting and improving their creations. For example, after we solved CryptXXX<\/a> three times, its creator finally tuned the encryption algorithm such that our utilities could not handle it. Maybe Polyglot\u2019s creator will manage the same feat. Bottom line: You can\u2019t rely on a decryption utility being available for any ransomware you might encounter.<\/p>\n![\"MarsJoke:](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/10\/06021521\/polyglot-comparison-screen.png\")
<\/a><\/p>\n![\"MarsJoke:](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/10\/06021523\/polyglot-comparison-screen2.png\")
<\/a><\/p>\n