Security researchers have claimed that the Mamba ransomware that wreaked havoc in 2016 by affecting San Francisco’s municipal railway by infecting more than 2,000 computers is back and this time it is targeting corporations in Brazil and Saudi Arabia.
Kaspersky Lab researchers have explained the working of the group behind Mamba stating that the group gains access to an network of corporations in target countries and uses the psexec utility to execute the ransomware.
Further, for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.
As explained by researchers, the malicious activity of the Mamba ransomware can be separated into two stages – the first one involving the preparation and the second one encryption.
Stage 1 (Preparation)
As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.
Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:xampphttp” folder.
After that, it launches the dropped DiskCryptor installer. When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters. The last step of Stage 1 is to reboot the system.
Stage 2 (Encryption)
Using the DiskCryptor software, the malware sets up a new bootloader to MBR.
The bootloader contains the ransom message for the victim. After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper. When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen. Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.
Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.
Businesses concerned about their potential vulnerability to this threat are advised to:
- Always install critical software patches released by developers and use the latest software versions.
- Do not run or open attachments from untrusted sources.
- Backup sensitive data to external storage and keep it offline.
- Non-Kaspersky Lab customers can download the free Kaspersky Anti-Ransomware Tool for business (KART).
- If a Kaspersky Lab solution is used, ensure that itincludes the System Watcher, a behavioral proactive detection component, and that it is switched on.