Mamba Ransomware

A Mamba Ransomware that was badly infected the San Francisco Train System On Nov 2016, now Mamba is again back to form that resumed its attack vector against Corporate Networks.

A legitimate full disk encryption Utility called DiskCrypto used for this attack and uses the psexec utility to execute the Mamba Ransomware by the group behind of this Dangerous Ransomware.

As per the Current Observation this Ransomware attack against most of the Corporate networks that belong to Brazil and Saudi Arabia.

This Threat generates a password for the DiskCrypto Utility for each machine in the targeted network and then finally ransomware utilizes the password that has been passed via command line argument.

Mamba Ransomware

Example of the Malware Execution Command line

Also Read: Ransomware attack hit San Francisco train system

How Does Mamba Ransomware Resume its Attack

Mamba Execute its attack by using Two Stages that are Preparation and Execution.

First Stage “Preparation” Performs an installation Process of this Tool on a targeted Victims Machine by using the DiskCrypto Utility.

Once Tool will Installed the malicious dropper stores in the own Process of the DiskCryptor’s modules.

Mamba Ransomware

DiskCrypto Utility Module

“According to Karspersky Labs ,Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.”

Once Malware Drops All the necessary Modules in the Concern Folder, finally it launches the dropped DiskCryptor installer.

Mamba Ransomware

Dropped DiskCryptor installer calls

After the DiskCryptor installer launched, Malware Create  SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters then finally reboot the system in end of the First Stage.

Mamba Ransomware

Parameter Create Function for For Force Reboot

In the Second Stage, This Ramsomware set up the new bootloader to MBR. New Bootloader contains the Ransom information for the Victims.

Mamba Ransomware

Ramsom Information

So, Disk Partitions will be Encrypted with Password once NewBootLoader is set.

Finally, After the encryption ends then the system will be rebooted and Victims will receive the Ransomware note on the Screen.

Ransom Note on the screen

This Ransom Detected as PDM:Trojan.Win32.Generic. by Kaspersky Lab Researchers.

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.Kaspersky said.

Leave a Reply