M@r1a Ransomware

The M@r1a Ransomware is a variant of the BlackHeart Ransomware, a file-locking Trojan that can encrypt media and create ransoming warnings for its victims. Since a free decryption service would require key leaks from this campaign's threat actor, users should have backups on other devices for the safekeeping of their documents, pictures and other files. Anti-malware products of most brands also will protect your PC by quarantining or removing the M@r1a Ransomware when appropriate.

Another Pulse of the BlackHeart Ransomware

Several months ago, a malware research team came across samples of the BlackHeart Ransomware, a unique, file-locker Trojan with tentative data-enciphering and pop-up-loading features. While that threat has had limited exposure to the public, since then, either its author or another criminal is continuing work on the project. A new version is being developed and is effectively complete as of November: the M@r1a Ransomware.

The M@r1a Ransomware uses a media-locking attack against images, spreadsheets, archives, etc., and does so with an initial layer of AES in CBC mode, which it protects by encoding the following key with RSA-2048. This means of encryption is secure from casual decryption attempts and should keep the files in question unopenable until the threat actor provides the private key. As always, malware researchers are urging users to keep backups for eliminating any potential the M@r1a Ransomware might have for harming files permanently.

While the M@r1a Ransomware does create Notepad Readme files for the victim, the majority of its ransoming demands are in the pop-up window that it launches automatically. This warning gives the user an e-mail address, a small Bitcoin ransom of fifty USD, and a wallet for paying the purchase of the decryption code. So far, the latter has zero transactional activity, which could be indicative of the threat actor not being ready to launch the Trojan's campaign, yet.

Silencing the Telltale Heartbeat of Media Extortion

The current version of the M@r1a Ransomware is fully encryption-capable and will block work and recreational media on Windows systems relatively indiscriminately. Users who keep copies of their files on other devices, either removable ones, such as USBs, or cloud storage, can resolve issues regarding their data loss without needing a decryption service. The M@r1a Ransomware is far from the only 'unbreakable' file-locker Trojan that malware researchers are seeing; others include much more numerous families, such as the Crysis Ransomware, the Globe Ransomware, modern iterations of the Scarab Ransomware, and even some versions of the free Hidden Tear.

Attacks from the M@r1a Ransomware could arrive over disguised e-mail attachments that pretend that they're invoices or workplace documents. Other infection vectors that malware researchers rate for being active in 2018 include free downloading resources like torrents, non-consensual drive-by-downloads from exploit kits, and, especially, brute-force attacks against network-accessible devices running with vulnerable logins. Strong passwords, regular patching of your software, and avoiding suspicious downloads are pertinent defenses against these attacks. Additionally, standard anti-malware programs should delete the M@r1a Ransomware promptly.

An upcoming campaign from the M@r1a Ransomware may not be the same level of global threat as a Ransomware-as-a-Service family, but it only is one of the many ways of getting the contents of your hard drive blocked. The need for a backup and proper PC security standards is just as applicable to those with fifty dollars' worth of files as it is with those of thousands of dollars in server databases and records.