New Ransomware Strain “Mamba” Capable of Full Disk Encryption

A new discovery by a Brazilian Infosec research group called Morphus Labs should (once again) make you think twice about clicking on any unsolicited links. Dubbed “Mamba,” the new ransomware strain, like the snake it was named after, strikes with a paralyzing strength, able to lock down full disks instead of just individual files. Using an open source tool called DiskCryptor, it’s able to do great damage by deeply encrypting all the data found on the target machine’s hard drive.

mamba-1

Mamba is very similar to fellow ransomware variant Petya, both of which use a disk-level encryption system, which seems to be a growing trend in the rapid spread of ransomware. “You Are Hacked,” says the message left by Mamba, along with a number victims are expected, via a unique ID, to call to find out where to pay the bitcoin worth of ransom (worth around $600) and get the private decryption key. Actually, the full message goes something like, “You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152” (as seen in the image below):

This latest ransomware strain blocks the machine’s OS from even booting up and overwrites the boot disk master boot record, or MBR replacing it with a custom MBR that displays the ransom note asking for the decryption password. As soon as the malware variant is introduced on the targeted machine, it will reboot, but before the reboot, Mamba installs itself as a fake defragmentation service via Windows, which looks like the image at left.

Renato Marinho of Morphus Labs and his team have been working around the clock to counteract the insidious lock-down proposed by Mamba. He remarks, in a post on LinkedIn Pulse: “We found Mamba last September 7, during an incident response procedure for a multinational company that had some servers compromised by this malware in Brazil, USA and India subsidiaries.”

Marinho goes on to say that the decryption password may be the same for all victims of Mamba, also known as HDDCryptor, or that it may be something related to the victim’s environment, such as a hostname, or something similar. The Morphus Labs team has not yet located the infection vector, but they are still at it. We will try to update you on Marinho’s team’s progress.

mamba-2

In the meantime, as is the case with all of our messages on ransomware, we advise never paying the ransom, but instead letting an expert in malware infection lead a step-by-step analysis and countermeasures implementation to bypass and ultimately discard the ransomware from your computer. Also, don’t click on any unsolicited links, and have only the best antivirus software running on your network and all devices.

Let the Cybersecurity Experts Handle It

If you need further advice about cybersecurity and ransomware, OffSite IT is a proven leader in providing IT consulting and cybersecurity in Chicago, IL and Southern California. Contact one of our expert IT staff at (866) 828--6674 or send us an email at info@offsiteIT.com today, and we can help you with all of your cyber safety, defense, and security questions or needs.

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

    Locations
    • Los Angeles / Orange County 21520 Yorba Linda Blvd. Suite G417 Yorba Linda, CA 92887
    • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
    • 1-866-828_-6674 info@offsiteIT.com