Wednesday, February 21, 2024

Mamba Ransomware is Back to Form and Resumed Attacks Against corporate Networks

A Mamba Ransomware that was badly infected the San Francisco Train System On Nov 2016, now Mamba is again back to form that resumed its attack vector against Corporate Networks.

A legitimate full disk encryption Utility called DiskCrypto used for this attack and uses the psexec utility to execute the Mamba Ransomware by the group behind of this Dangerous Ransomware.

As per the Current Observation this Ransomware attack against most of the Corporate networks that belong to Brazil and Saudi Arabia.

This Threat generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed via command line argument.

Mamba Ransomware

Example of the Malware Execution Command line

Also Read: Ransomware attack hit San Francisco train system

How Does Mamba Ransomware Resume its Attack

Mamba Execute its attack by using Two Stages that are Preparation and Execution.

First Stage “Preparation” Performs an installation Process of this Tool on a targeted Victims Machine by using the DiskCrypto Utility.

Once Tool will Installed the malicious dropper stores in the own Process of the DiskCryptor’s modules.

Mamba Ransomware

DiskCrypto Utility Module

“According to Karspersky Labs ,Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.”

Once Malware Drops All the necessary Modules in the Concern Folder, finally it launches the dropped DiskCryptor installer.

Mamba Ransomware

Dropped DiskCryptor installer calls

After the DiskCryptor installer launched, Malware Create  SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters then finally reboot the system in end of the First Stage.
Mamba Ransomware

Parameter Create Function for For Force Reboot

In the Second Stage, This Ramsomware set up the new bootloader to MBR. New Bootloader contains the Ransom information for the Victims.

Mamba Ransomware

Ramsom Information

So, Disk Partitions will be Encrypted with Password once NewBootLoader is set.

Finally, After the encryption ends then the system will be rebooted and Victims will receive the Ransomware note on the Screen.

Ransom Note on the screen

This Ransom Detected as PDM:Trojan.Win32.Generic. by Kaspersky Lab Researchers.

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.Kaspersky said.


Latest articles

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...

VMware Urges to Remove Enhanced EAP Plugin to Stop Auth & Session Hijack Attacks

VMware has issued an urgent advisory to administrators to remove a deprecated authentication plugin...

LockBit Ransomware Members Charged by Authorities, Free Decryptor Released

In a significant blow to one of the most prolific ransomware operations, authorities from...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles