Mamba Ransomware – It’s back
When we were already tired enough with the series of ransomwares seen recently, one more player is back from the forgotten graveyard. This time it’s bigger and better.
If we look into its history, the target was more specific to windows users in India, Brazil and United States. In its execution, it used to encrypts not only files but also encrypts the hard drive.
In those dark days, This ransomware propagated mostly through spearphish campaigns. The malicious code once downloaded starts its working by encrypting system drives. Then comes a ransom page threatening the victim to delete all the encrypted files until a ransom, mostly in form of bitcoin is paid to the attacker.
One of its old victims which caught almost everyone’s eye was “San Francisco Municipal Transport Agency (SFMTA).” More than 2000 computers were comprised.
Currently, the attack is observed against corporations that are located in Brazil and Saudi Arabia.
The malware tries to gain access to targeted organisation’s network and begins the execution using psexec utility. Also, for each machine in the victim’s network, the executor generates a password for the DiskCryptor utility which is passed to ransomware dropper via command line arguments. Till date, no way has been discovered to decrypt data that has been encrypted using DiskCryptor.
The malicious activity can be separated into two stages:
Stage 1 : This is where system is prepared for the execution
- A folder named “http” inside another folder “xampp” is created in C drive like“C:\xampp\http“
- Then it drop DiskCryptor components into the folder
- DiskCryptor driver is installed next. It sets up the new bootloader to MBR. It’s the new bootloader which contains the ransomware message.
- Then it registers a system service called DefragmentService which runs at every boot and calls the ransomware’s original binary.
- Then it reboots the victim machine.
Stage 2: Encryption
- First step is to setup bootloader to MBR using DiskCryptor. The command looks like:
“C:\xmapp\http\dccon.exe” -boot -setmbr hd0
- Once the bootloader is set, the partitions are encrypted and a unique password is added. The command looks like:
“C:\xmapp\http\dccon.exe” -encrypt pt0 -p <password>
- When the encryption is done, victim’s machine is rebooted and the ransom note is displayed.
How to save yourself?
Update your anti-virus definition. Most of the antivirus vendors are already detecting it.
Some SHA values and references to help you in further analysis: