The attackers of Mamba alter their demands depending on the number of systems infected
A powerful form of Ransomware called the Mamba that ends up encrypting all files on the system has suddenly made a comeback, as per a report by Kaspersky Lab.
Mamba, that first appeared in September 2016 in an attack on an energy company in Brazil, uses a legitimate software called DiskEncryptor to lock all the files on the hard drive.
Similar tactics have been used in previous ransomware attacks, such as the Petya and WannaCry, which experts pointed out were designed to destroy files rather than generate ransom money.
The ransomware usually targets large organisations.
The Mamba Ransomware is not found very commonly and it has mainly targeted Brazil and Saudi Arabia. However, in November 2016, the San Francisco Municipal Transport Agency was also affected by Mamba and the operators had to allow passengers to travel on the trains for free in the end.
Mamba was the first such ransomware detected that encrypted hard drives rather than files.
Currently, there is no tool available to decrypt the data that has been locked by Mamba Ransomware as it uses extremely strong encryption algorithms.
How does an attack take place?
As per Kasperksy Lab’s securelist, the group gains access to an organisation’s network and uses the 'psexec' utility to execute the Ransomware.
Kaspersky Lab states that the attacks occur in two stages. In the first stage, DiskCryptor is stored into a folder created and installed by the malware. A system service dubbed as DefragmentService is also registered to ensure persistence. The targeted machine is then rebooted.
The second stage creates the new bootloader, and in this stage, disk partitions are encrypted through DiskCryptor. The system is then booted again.
For each machine in the victim’s network, the threat executor generates a password for the DiskCryptor Utility. The same password is passed via command line arguments to the Ransomware dropper.
Kaspersky Sky Lab was the one to flag the return of Mamba Ransomware.
The attackers of Mamba alter their demands depending on the number of systems infected.The ransom asked for depends on how many endpoints and server were affected, a malware analyst at Kaspersky Lab told ZDNet.