Friday, February 7, 2025
HomeRansomwareMamba Ransomware is Back to Form and Resumed Attacks Against corporate Networks

Mamba Ransomware is Back to Form and Resumed Attacks Against corporate Networks

Published on

SIEM as a Service

Follow Us on Google News

A Mamba Ransomware that was badly infected the San Francisco Train System On Nov 2016, now Mamba is again back to form that resumed its attack vector against Corporate Networks.

A legitimate full disk encryption Utility called DiskCrypto used for this attack and uses the psexec utility to execute the Mamba Ransomware by the group behind of this Dangerous Ransomware.

As per the Current Observation this Ransomware attack against most of the Corporate networks that belong to Brazil and Saudi Arabia.

This Threat generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed via command line argument.

Mamba Ransomware

Example of the Malware Execution Command line

Also Read: Ransomware attack hit San Francisco train system

How Does Mamba Ransomware Resume its Attack

Mamba Execute its attack by using Two Stages that are Preparation and Execution.

First Stage “Preparation” Performs an installation Process of this Tool on a targeted Victims Machine by using the DiskCrypto Utility.

Once Tool will Installed the malicious dropper stores in the own Process of the DiskCryptor’s modules.

Mamba Ransomware

DiskCrypto Utility Module

“According to Karspersky Labs ,Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.”

Once Malware Drops All the necessary Modules in the Concern Folder, finally it launches the dropped DiskCryptor installer.

Mamba Ransomware

Dropped DiskCryptor installer calls

After the DiskCryptor installer launched, Malware Create  SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters then finally reboot the system in end of the First Stage.
Mamba Ransomware

Parameter Create Function for For Force Reboot

In the Second Stage, This Ramsomware set up the new bootloader to MBR. New Bootloader contains the Ransom information for the Victims.

Mamba Ransomware

Ramsom Information

So, Disk Partitions will be Encrypted with Password once NewBootLoader is set.

Finally, After the encryption ends then the system will be rebooted and Victims will receive the Ransomware note on the Screen.

Ransom Note on the screen

This Ransom Detected as PDM:Trojan.Win32.Generic. by Kaspersky Lab Researchers.

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.Kaspersky said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Globe Life Ransomware Attack Exposes Personal and Health Data of 850,000+ Users

Globe Life Inc., a prominent insurance provider, has confirmed a major data breach that...

New ‘SHIELD’ Platform Leverages FPGA and Off-Host Monitoring to Tackle Advanced Ransomware Threats

In a significant advancement against increasingly sophisticated ransomware threats, researchers from NYU Tandon School...