Home Malware Programs Ransomware MarioLocker Ransomware

MarioLocker Ransomware

Posted: November 28, 2019

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: November 29, 2019
Last Seen: September 10, 2021
OS(es) Affected: Windows

The MarioLocker Ransomware is a file-locking Trojan that can block files through encrypting their internal data, along with modifying their names. Users should have backups as a precautionary defense, although some samples of the MarioLocker Ransomware may provide (or claim to provide) either premium or free decryption solutions. Many anti-malware programs also should be useful at detecting the threat and deleting the MarioLocker Ransomware immediately.

Getting Wasted in a Bad Way

Another file-locking Trojan without a Ransomware-as-a-Service heritage might seem like a rhyming verse in the song begun by threats like the SaveTheQueen Ransomware, the Sun Ransomware or the JesusCrypt Ransomware. The MarioLocker Ransomware is a little different from them, though – both in its visuals and in less-obvious effects. Whether these divergences make a difference or not, however, might be irrelevant to the victims struggling against its traditional encryption feature.

Encryption is a typical function for both legitimate programs and Trojans, the latter of whom use it for blocking documents and other files automatically. In most instances, the encryption isn't reversible without a key that the attacker owns, although malware experts haven't examined the MarioLocker Ransomware's security. The MarioLocker Ransomware also wipes the entirety of each file's name currently but adds a numbered 'wasted' extension at their ends, which is the only remaining text.

The strange technique behind its file name edits also is a theme with the MarioLocker Ransomware, which remains an oddity in its ransoming note. This Notepad message is in English, with grammar errors, and isn't from a template such as a Ransomware-as-a-Service like the Dharma Ransomware. It recommends opening a decryption-related file that it drops on the disk, although this file may or may not be a genuine decryptor that could unlock one's data.

Taking Mario Out to the Cleaners

While the MarioLocker Ransomware's visual symptoms differ from the norm, as a Trojan, it also has some 'underneath the hood' attacks that malware experts stress for being a concern. It disables some Windows tools, like the Command Prompt, the Task Manager, and the Registry Editor – which could help users with detecting the Trojan, removing it, or mitigating its attacks. It also reads Internet cache settings, modifies various certificates – including system ones – and hides some of its components in the Windows directory.

Until decryption's feasibility is determinable, users can protect documents, pictures, and similar files most effectively by copying them over to an appropriately-secure backup device. Fortunately, the MarioLocker Ransomware hasn't been spotted removing local backups. However, deleting locally-accessible backup content is a feature of nearly every dominant force in the file-locking industry today.

Anti-malware products may prevent infections by spotting this Trojan beforehand, although they also should delete the MarioLocker Ransomware without obstacles. The Trojan doesn't, unlike some threats, include any anti-malware or AV products in its software-disabling blacklist.

The MarioLocker Ransomware is an exciting little project by some threat actor who's likely plan is extortion. What the MarioLocker Ransomware wants, or how much, is, sadly, an unknown quantity that the future must reveal.

Loading...