Mamba Ransomware Attack: Targeting Hard Disk Instead of Files
Now Days a New Ransomware is rising name “Mamba Ransomware” that paralyzes the target computer and does not allow the user to access the desktop and files. The Mamba that was the first example of ransomware that encrypts hard drives rather than files that was detected in public attack, primarily targeted organizations in Brazil and the Municipal Transportation Agency from San Francisco. It is variant of the disk-encryption ransomware that was first observed in early November of 2016. Unlike the Petya Ransomware that encrypts the Master File Table (MFT) record to revoke access to the data, the Mamba Ransomware uses disk-level encryption. The ransomware is reported to run as ‘DiskCryptor’ process on the compromised PC.
The Ramba Ransomware propagation among users system are quite different, but it is likely that its operators are using malicious tools like Exploit Kit and spam mail loaded with Trojan Droppers. As stated above, the ransomware can lock the entire local drive and researchers are working on finding its vulnerabilities. The analysis is hindered by the full encryption which hides most of Mamba. The ransomware may run in the system background and encode files that are rarely accessed first. Then, the Mamba cryptomalware proceeds to lock other data and tightens its grip on the drive by encrypting the files you opened during your last session or on the next system boot. There are other variant of Mamba Ransomware like Black Mamba Ransomware.
Ramba Ransomware Designed To Destruct Corporates and Other large Organization’s
The security researchers informed that the person behind this attacks usually attacks Saudi Arabic and Brazil’s company offices and other corporate. It is also expected that the attack may be elaborate to other countries and regions as well.
The attackers behind the Mamba ransomware attacks leverages the PSEXEC utility to perform execute the threat on the corporate network once it has propagated. NotPetya uses the same PSEXEC tool to infiltrate within target networks. As Kaspersky, the ransomware uses a two phase infection pattern, in the first one cyber criminals drop the DiskCryptor tool into a new folder created by the malware. The persistence is obtained by registering a system service called DefragmentService, then the system is rebooted. The second phase sets up the new bootloader and encrypts disk partitions using DiskCryptor, then the machine is rebooted. This malware also generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed through command line argument as kaspersky.
After infiltration, the Ramba Ransomware modifies the system MBR to display the ransom note. The ransomware usually to show ransom note that instead of demanding for money like the original Mamba. Affected users are suggested to contact the threat actors on given two email addresses with an ID number. The provided email id is used to recover the encryption key.
As discussed above, Mamba ransomware follows the well-known attack vectors associated with prior versions. It uses a two-stage infection pattern that seeks to infiltrate the computer network first and make them worse. The motive of hackers is per-defined as lock the user’s hard disk and extort money to them. So it is highly recommended to follow prevention steps to avoid such malicious attack and future too.