Decrypt Files Encrypted by MarsJoke Ransomware - How to, Technology and PC Security Forum |

Decrypt Files Encrypted by MarsJoke Ransomware

decrypt-jokefrommars-marsjoke-ransom-message-sensorstechforumJokeFromMars, also known as MarsJoke ransomware uses AES cipher to encrypt files, adding the .a19 and .ap19 file extension to them. The ransomware virus demands 0.7 or 1.1 BTC (depending on it’s variant) payment to cyber-criminals. The good news is that researchers have developed a decryptor for JokeFromMars ransomware and if you have been infected by this malware, now it is possible to decrypt your files for free. We have designed step-by-step instructions to assist with the successful removal and decryption of MarsJoke ransomware, and it is advisable to follow them and reverse the damage done by it.

MarsJoke Ransomware – Quick Background

When it first came out, news broke out that this virus is not limited as to what type of users the virus will target, meaning that there were targeted attacks or spam campaigns oriented towards government facilities and branches of government institutions, even including Police buildings. This opened up to many possible infection scenarios, including using compromised credentials or fake profiles and e-mails to infect computers within the organization.

After such infection has occurred, the JokeFromMars virus drops several files in key Windows folders. ProofPoint Researchers have detected the virus to drop a malicious executable, named “sysmonitor” in one instance, but the names may vary.

The JokeFromMars virus also modifies heavily the Windows Registry editor. It also begins to encrypt files using a strong AES-256 cipher. The virus is pre-programmed to target the following file types:

→.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd,.wmv, .xls, .xlsx, .xps, .xml, .ckp, zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

After encryption MarsJoke drops a ransom note with the following message to victims:


Luckily enough, users now do not have to pay for decryption. Malware researchers Anton Ivanov, Orkhan Mamedov and Fedor Sinitsyn, have broken MarsJoke’s code and have successfully updated Kaspersky’s Rannoh decryptor to decipher files for free. What allowed them to break the code was a mistake the malware writers did when they have put a weak string in the key generator of decryption keys.

We have prepared instructions below to help you successfully decrypt MarsJoke ransomware for free, using Rannoh Decryptor.

MarsJoke Ransomware – Removal and Decryption Instructions

If you want to decrypt your files, it is advisable to first remove the MarsJoke virus in case you still have it on your computer. In order to successfully remove it. We advise you to use these instructions to fully delete it:

Manually delete MarsJoke from your computer

Note! Substantial notification about the MarsJoke threat: Manual removal of MarsJoke requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove MarsJoke files and objects
2. Find malicious files created by MarsJoke on your PC
3. Fix registry entries created by MarsJoke on your PC

Automatically remove MarsJoke by downloading an advanced anti-malware program

1. Remove MarsJoke with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by MarsJoke in the future

After you have deleted MarsJoke Ransomware successfully you should follow these steps to restore your files:

Step 1: Download Kaspersky’s Rannoh decryptor by clicking on the button below:

Step 2: Extract the RannohDecryptor.exe file to your desktop or somewhere where you can easily locate it:


Step 3: Run the decryptor and click on the Start Scan button:


Step 4: Choose an encrypted file and an original file, preferably choose a file that is smaller in size so that the process is faster. If you cannot find an original file, make sure to look for default Windows photos on another computer, like the default wallpapers for example.



Step 5: The decryptor will begin looking for a key. After it finds one, it will decrypt your other files as well.

MarsJoke Ransomware Decryption Conclusion

The JokeFromMars ransomware is trying to impost CTB Locker, however it is not CTB. The malware writers have made one critical mistake in this case, in which malware researchers saw an opportunity to break the encryption and update Kaspersky’s decryptor. However, this is an exception. There are still many other ransomware viruses out there, such as the latest Cerber ransowmare variant which has begun to spread massively as spam. This is why we advise you to follow several simple tips about safely storing your files that will greatly increase your ransomware protection:

Safely Store Your Files and Protect Them From Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.