Author: Yadu Nadh
TLP: WHITE
On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software.1
Threat actors previously used Mamba to infect victims in Brazil and Saudi Arabia, as well as attack the San Francisco Municipal Transportation Agency (SFMTA) in November 2016.2
The cybersecurity community first discovered Mamba ransomware in 2016.3 It has been deployed against:
- local government,
- public transportation agencies,
- legal services,
- technology services,
- industrial,
- commercial,
- manufacturing, and
- construction businesses.
The threat actors behind Mamba encrypt the victim’s drive and operating system with a weaponized version of DiskCryptor. The ransomware’s capabilities include privilege escalation via exploit. Threat actors distribute Mamba via malspam and can compromise the victim’s network via Remote Desktop Protocol (RDP).
Once the malware encrypts the victim’s system, it displays a ransom note with the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. The ransom note instructs the victim to contact the actor’s email address to pay the ransom in exchange for the decryption key. The threat actor adjusts the payment based on the scale of the infection and demands it to be made via Bitcoin.4
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.ic3.gov/Media/News/2021/210323.pdf
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/disk-locking-hddcryptor-mamba-ransomware-makes-a-comeback
- https://securityaffairs.co/wordpress/51314/malware/mamba-ransomware.html
- https://thehackernews.com/2017/08/locky-mamba-ransomware.html
- https://www.mindpointgroup.com/blog/lateral-movement-with-psexec/
- https://securelist.com/the-return-of-mamba-ransomware/79403/