MarsJoke ransomware variant targets local and state governments

A recently discovered strain of ransomware dubbed MarsJoke is predominantly targeting local and state government officials by luring them to click on malware-laden download links that appear to offer nonexistent package tracking services.

A recently discovered strain of ransomware dubbed MarsJoke is predominantly targeting local and state government officials by luring them to click on malware-laced download links that appear to offer nonexistent package tracking services.

The growingly popular scam, which was first discovered by cybersecurity researchers for Proofpoint, will encrypt a victim’s data and threaten to permanently encrypt files if an untraceable, bitcoin-based ransom payment of roughly $320 is not received within 96 hours. 

Researchers decided to name the ransomware MarsJoke based on a string within the code that reads “HelloWorldItsJokeFromMars. ”


When clicked on, the malicious URL will redirect users to a website that launches a file download. Afterwards, the victim’s desktop background will change and be locked before several dialogue boxes pop up. A range of different language options are available to review the instructions, including English, Russian, Italian and Spanish.

MarsJoke is the latest in a longline of different ransomware variants that target government systems, hoping to extort money through threats of destroying valuable information.

MarsJoke, for example, shares a number of similarities with the widely known CryptFile2 campaign, another ransomware scheme which offered fake airline ticket discounts and coupons. Both MarsJoke and CryptFile2 boasted well-crafted email bodies, that includes stolen branding used by legitimate businesses, to appear legitimate. 

The third most common target for MarsJoke after local and state government offices is K-12 educational institutions. 

Though the government and education sectors are not widely considered to be extensively threatened by ransomware, recently released research report by security ratings firm BitSight found the education sector to be highly targeted by ransomware campaign.


“Although patient data makes healthcare organizations a prime target for ransomware attacks, other industries are [also] … on a cyber criminal’s radar,” the BitSight report reads, “Intellectual property, classified government documents, and private financial data are just some of the types of records that cyber criminals may pursue within other industries.” 

Researchers believe that MarsJoke is not “just another ransomware” variant, but rather a highly sophisticated operations orchestrated by a well-resourced criminal group. 

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts