The US Federal Bureau of Investigations has released a Flash alert warning organizations about attacks carried out by the Mamba ransomware group.
The FBI did not mention how widespread these attacks are, but said that the ransomware “has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”
Mamba (aka HDDCryptor) is not a new ransomware strain, it has been around since at least 2016, when it was first spotted by Trend Micro. The ransomware has been known to use DiskCryptor, an open source full disk encryption software, to encrypt disk and network files and overwrite the Master Boot Record (MBR). Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.
However, according to the FBI, a fault in the Mamba’s encryption process allows victims to recover the encryption key if the attack is detected at an early stage.
“The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation. The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note. If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the agency points out.
The alert also provides a set of recommendations on security measures that organizations can implement to protect their networks from his threat.