Mamba Ransomware – It’s back

mamba ransomeware

Introduction

When we were already tired enough with the series of ransomwares seen recently, one more player is back from the forgotten graveyard. This time it’s bigger and better.

If we look into its history, the target was more specific to windows users in India, Brazil and United States. In its execution, it used to encrypts not only files but also encrypts the hard drive.

In those dark days, This ransomware propagated mostly through spearphish campaigns. The malicious code once downloaded starts its working by encrypting system drives. Then comes a ransom page threatening the victim to delete all the encrypted files until a ransom, mostly in form of bitcoin is paid to the attacker.

One of its old victims which caught almost everyone’s eye was “San Francisco Municipal Transport Agency (SFMTA).” More than 2000 computers were comprised.

Attack Geography

Currently, the attack is observed against corporations that are located in Brazil and Saudi Arabia.

Execution Process

The malware tries to gain access to targeted organisation’s network and begins the execution using psexec utility. Also, for each machine in the victim’s network, the executor generates a password for the DiskCryptor utility which is passed to ransomware dropper via command line arguments. Till date, no way has been discovered to decrypt data that has been encrypted using DiskCryptor.

The malicious activity can be separated into two stages:

Stage 1 : This is where system is prepared for the execution

  • A folder named “http” inside another folder “xampp” is created in C drive like“C:\xampp\http
  • Then it drop DiskCryptor components into the folder
  • DiskCryptor driver is installed next. It sets up the new bootloader to MBR. It’s the new bootloader which contains the ransomware message.
  • Then it registers a system service called DefragmentService which runs at every boot and calls the ransomware’s original binary.
  • Then it reboots the victim machine.

Stage 2: Encryption

  • First step is to setup bootloader to MBR using DiskCryptor. The command looks like:
    “C:\xmapp\http\dccon.exe” -boot -setmbr hd0
  • Once the bootloader is set, the partitions are encrypted and a unique password is added. The command looks like:
    “C:\xmapp\http\dccon.exe” -encrypt pt0 -p <password>
  • When the encryption is done, victim’s machine is rebooted and the ransom note is displayed.

How to save yourself?

Update your anti-virus definition. Most of the antivirus vendors are already detecting it.

Some SHA values and references to help you in further analysis:

SHA1: 07955e280024fd69b45e084587d41b6a4f1a5fb3

SHA1: 20bd17c451563b0a20bfaf920428249eecc0ee0d

MD5: 79ed93df3bec7cd95ce60e6ee35f46a1

SHA256: b9b6045a45dd22fcaf2fc13d39eba46180d489cb4eb152c87568c2404aecac2f

References:

 

For me, it’s the toughest thing to define oneself. I mean, It’s always better and easy to judge others, isn’t it?
I have hundreds of thing i can tell you about me but at the same time, i’ll be hiding hundreds of thing from you. I can tell you my Office friends call me Dionysus (Google can tell you why). “Dead Can Dance Kiko” Song is enough to tell what i like. I feel happy to share something i learn everyday which i think this site is a part of it.

You may also like...