Mamba ransomware is back to its malicious deeds

After staying still, Mamba returns on the stage

It seems that a notorious virus called Mamba ransomware is back on track. Last week, researchers at Kaspersky Lab detected ransomware’s signature database suggesting that we should not forget this malware. (source) It has also been reported that victims were tricked into installing the threat on their networks after falling for infected emails promising them an easy connection to porn-related websites.

Mamba is not a new virus – its activity goes back all the way to mid-2016s. However, it is not a typical ransomware because it is not interested in home users. Instead of these “small catches”, virus has been trying to gain its income by aiming at large organizations and networks.

It seeks to do the most damage by encrypting their data by using a LEGITIMATE tool called DiskCryptor.

The damage that has been done

Fortunately, Mamba Ransomware is not as common as you might think – considering its way of functionality, it is a very dangerous attack vector. Instead of targeting average home users, it tries to gain the access to corporate infrastructures. Considering all large organizations that it has already targeted, it seems that the core of its attacks resides in Brazil and Saudi Arabia.

The major awareness related to Mamba ransomware was raised in end of 2016, when it infected networks of San Fransisco Municipal Transport Agency. The damage was severe enough to force the company to close the fare gates and ticket machines, and allow users to travel for free. Unfortunately, the agency needed several days to recover. Possibly that’s because ransomware uses several stages to cause the damage of victim’s network.

Deployment stages of the attack

After the group working behind Mamba ransomware gains the access to the organization’s network, it launches the virus ‘psexec’ utility. Afterward, the attack is deployed in two stages: the first one is implemented with the help of DiskCryptor which is a legitimate tool. It is usually dropped onto a particular folder created by malware and registered as a system service to ensure that it won’t be removed quickly. Then, hackers restart the target computer.

The second stage is initiated right after the reboot. The malware creates a bootloader which then starts encrypting disk partitions via DiskCryptor software. Once completed, the second restart commences and the target machine becomes inaccessible. The only thing to appear is a login screen with a ransom demand.

Note that the amount of ransom depends on the number of systems infected on the network. The more Mamba ransomware manages to affect, the more it asks. According to latest reports, it can make companies to pay nearly $100K in exchange for the key needed for system’s decryption.

 

Ugnius Kiguolis