Tuesday, June 25, 2024

Mamba Ransomware is Back to Form and Resumed Attacks Against corporate Networks

A Mamba Ransomware that was badly infected the San Francisco Train System On Nov 2016, now Mamba is again back to form that resumed its attack vector against Corporate Networks.

A legitimate full disk encryption Utility called DiskCrypto used for this attack and uses the psexec utility to execute the Mamba Ransomware by the group behind of this Dangerous Ransomware.

As per the Current Observation this Ransomware attack against most of the Corporate networks that belong to Brazil and Saudi Arabia.

This Threat generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed via command line argument.

Mamba Ransomware

Example of the Malware Execution Command line

Also Read: Ransomware attack hit San Francisco train system

How Does Mamba Ransomware Resume its Attack

Mamba Execute its attack by using Two Stages that are Preparation and Execution.

First Stage “Preparation” Performs an installation Process of this Tool on a targeted Victims Machine by using the DiskCrypto Utility.

Once Tool will Installed the malicious dropper stores in the own Process of the DiskCryptor’s modules.

Mamba Ransomware

DiskCrypto Utility Module

“According to Karspersky Labs ,Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.”

Once Malware Drops All the necessary Modules in the Concern Folder, finally it launches the dropped DiskCryptor installer.

Mamba Ransomware

Dropped DiskCryptor installer calls

After the DiskCryptor installer launched, Malware Create  SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters then finally reboot the system in end of the First Stage.
Mamba Ransomware

Parameter Create Function for For Force Reboot

In the Second Stage, This Ramsomware set up the new bootloader to MBR. New Bootloader contains the Ransom information for the Victims.

Mamba Ransomware

Ramsom Information

So, Disk Partitions will be Encrypted with Password once NewBootLoader is set.

Finally, After the encryption ends then the system will be rebooted and Victims will receive the Ransomware note on the Screen.

Ransom Note on the screen

This Ransom Detected as PDM:Trojan.Win32.Generic. by Kaspersky Lab Researchers.

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.Kaspersky said.


Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles