Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which is rapidly spreading across Windows systems.
Unlike traditional ransomware, Mamona employs a unique set of tactics, notably exploiting the humble Windows “ping” command as a timing mechanism, and operates entirely offline, making detection and response more difficult.
Emerging on the Commodity Ransomware Scene
Mamona is the latest entrant in the expanding “commodity ransomware” landscape sector where malware developers sell off-the-shelf ransomware builders to any operator, rather than running high-profile, organized Ransomware-as-a-Service (RaaS) campaigns.
.png
)
This decentralized model has resulted in malware strains that are harder to track and attribute, with new variants appearing almost daily.
First sighted in campaigns linked to BlackLock affiliates and with connections to the notorious Embargo group, Mamona’s builder was recently leaked online.
Threat actors have since been observed distributing the ransomware in opportunistic attacks, and the DragonForce group even managed to obtain and leak sensitive configuration files tied to its infrastructure.
Offline Operation, False Threats
What sets Mamona apart from other ransomware is its complete lack of external communication. Analysis confirms there are no Command and Control (C2) channels, data exfiltration, or even meaningful internet connections.
The ransomware operates in “mute mode,” executing all encryption and logic locally. While its ransom note threatens victims with data leaks and public exposure, researchers have found this to be a bluff-Mamona does not attempt to steal files.
Mamona’s attack sequence starts with the use of a ping command to the unusual loopback address 127.0.0.7, a simple yet effective technique to delay execution and evade behavioral detection systems.
Following this, it launches a self-deletion routine using cmd.exe, aiming to erase all traces of itself from the victim’s machine. These steps are designed to hamper forensic analysis and incident response.
User files are then encrypted with custom logic-bypassing standard cryptographic libraries-and renamed with a “.HAes” extension.
Ransom notes are scattered throughout the system, and the desktop wallpaper is changed to signal the attack.
Despite its disruptive impact, Mamona’s design choices have unintended benefits for victims: experts have discovered and tested a working decryption tool that can successfully restore files.
The decryption utility, though rudimentary in appearance, has been shown to reverse Mamona’s encryption, thanks to the simplicity and predictability of its locally implemented cryptography.
Security professionals warn that Mamona’s offline operation makes it invisible to traditional network monitors, and its reliance on basic Windows utilities mimics legitimate behavior.
They advise enhancing behavioral analysis on endpoints, maintaining robust offline backups, and educating users on ransomware threats.
Mamona’s rise highlights the growing challenge posed by easily accessible, builder-based ransomware.
As its toolkit spreads, organizations must remain vigilant against attacks that blend technical simplicity with damaging real-world impact.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
