On 22 September, Proofpoint noted the non-linear, large scale attack of a new Windows ransomware variant it has dubbed MarsJoke. The original campaign was aimed at US government and educational Institutions and the “tracking” link accessed “file_6.exe. The campaign also attacked smaller numbers for healthcare, telecommunications, insurance, and several other verticals.
The emails were purportedly from major national airlines and freight carriers and looked legitimate with logos and advertising in them.
This strain of ransomware hasn't been documented before. There were hundreds of thousands of messages involved with this campaign, which used URLs to malware hosted on several freshly registered domains
Vice-president of threat operations at Proofpoint, Kevin Epstein, said, “The explosion of ransomware we're facing makes MarsJoke feel like 'just another ransomware' - but to the state agency or high school that ends up paying sizeable ransoms or losing critical data, this is hardly ordinary.
"Three things set this campaign apart from other recent ransomware attacks: the use of so-called hosted ransomware, the targeting, and the scale. While it hasn't reached the scale of an average Locky attack, combined with the known targeting, this MarsJoke campaign is significant."