FBI warns organizations about Mamba ransomware

FBI warns organizations about Mamba ransomware

The US Federal Bureau of Investigations has released a Flash alert warning organizations about attacks carried out by the Mamba ransomware group.

The FBI did not mention how widespread these attacks are, but said that the ransomware “has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”

Mamba (aka HDDCryptor) is not a new ransomware strain, it has been around since at least 2016, when it was first spotted by Trend Micro. The ransomware has been known to use DiskCryptor, an open source full disk encryption software, to encrypt disk and network files and overwrite the Master Boot Record (MBR). Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.

However, according to the FBI, a fault in the Mamba’s encryption process allows victims to recover the encryption key if the attack is detected at an early stage.

“The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation. The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note. If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the agency points out.

The alert also provides a set of recommendations on security measures that organizations can implement to protect their networks from his threat.

Back to the list

Latest Posts

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Global network of DDoS-for-hire services dismantled in international police op

Global network of DDoS-for-hire services dismantled in international police op

The suspects are believed to have administered six now-defunct websites, which operated as stresser or booter services.
7 May 2025
Popular Posts
Featured vulnerabilities
MitM attack in Erlang OTP SSH
Low Patched | 09 May, 2025
Stored cross-site scripting in Klaro Cookie & Consent Management module for Drupal
Low Patched | 09 May, 2025
Cross-site scripting in COOKiES Consent Management module for Drupal
Low Patched | 09 May, 2025
Cross-site scripting in oEmbed Providers module for Drupal
Low Patched | 09 May, 2025
Cross-site request forgery in Restrict route by IP module for Drupal
Low Patched | 09 May, 2025