25 March 2021

FBI warns organizations about Mamba ransomware


FBI warns organizations about Mamba ransomware

The US Federal Bureau of Investigations has released a Flash alert warning organizations about attacks carried out by the Mamba ransomware group.

The FBI did not mention how widespread these attacks are, but said that the ransomware “has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”

Mamba (aka HDDCryptor) is not a new ransomware strain, it has been around since at least 2016, when it was first spotted by Trend Micro. The ransomware has been known to use DiskCryptor, an open source full disk encryption software, to encrypt disk and network files and overwrite the Master Boot Record (MBR). Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.

However, according to the FBI, a fault in the Mamba’s encryption process allows victims to recover the encryption key if the attack is detected at an early stage.

“The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation. The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note. If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the agency points out.

The alert also provides a set of recommendations on security measures that organizations can implement to protect their networks from his threat.

Back to the list

Latest Posts

Cyber security week in review: August 12, 2022

Cyber security week in review: August 12, 2022

The cybersecurity world in brief: Twilio, Cloudflare targeted in a phishing attack, Microsoft fixes a Windows zero-day bug, and more.
12 August 2022
Pro-Ukraine cybercriminal forum offers DDoS attacks against orgs in Russia, Belarus

Pro-Ukraine cybercriminal forum offers DDoS attacks against orgs in Russia, Belarus

It seems that DUMPS Forum's primary focus is to support the Ukrainian war effort against Russia.
11 August 2022
Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022