The HDDCryptor ransomware has returned with a new avatar as Mamba ransomware. Read on to know more about it…
The HDDCryptor ransomware, which has been around since at least 2016, is probably familiar to you. It has since changed its name to Mamba. The Federal Bureau of Investigation (FBI) has released an alert about the ransomware’s new activities.
According to a Coveware survey from the first quarter of last year, Mamba was among the top five ransomware risks, behind only REvil and Ryuk. This began to improve in the fourth quarter of 2020, but it remained a significant danger.
Mamba Ransomware
Mamba ransomware has been targeting local governments, tech facilities, legal services, public transportation companies, and Industrial, building, manufacturing, and commercial enterprises, according to the FBI. It transforms DiskCryptor into a tool, restricting access by encrypting the entire drive.
Since the pandemic, ransomware attacks have been on the rise. While Mamba attacks are common, they are not as widespread as REvil and LockBit attacks. Furthermore, since victims are unable to boot their operating systems or upload encrypted objects, the attacks cannot be monitored through ID-Ransomware.
Working Mechanism
Mamba ransomware or HDDCryptor encrypts victim computers in the background with a key specified by the attacker using an open-source software solution called DiskCryptor. The FBI states that installing DiskCryptor necessitates a device restart in order to add appropriate drivers, which happens around two minutes after Mamba is installed.
According to FBI, the encryption key and the shutdown time variable are also stored in DiskCryptor’s setup, a plaintext file called myConf.txt. Once the encryption process is complete, about two hours later, the machine is restarted again, and the ransom note is made available.
Since the encryption key is saved in plaintext, there is no security around it, according to the agency, this 2 hour window is an opportunity for organisations infected with Mamba ransomware to recover it.
Mamba ransomware has a unique feature in which it overwrites the disk’s Master Boot Record (MBR), blocking access to the drive’s encrypted data. Since files cannot be analysed by automated services like ID-Ransomware, it is more difficult to monitor the number of attacks.
Other Threats
The FBI has warned about a number of threats, including Mamba. There have been a number of cyber security threats recently that the organisation has been cautioned against. The FBI recently issued an alert about the Pysa ransomware that targets educational institutions.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert, warning of TrickBot attacks by phishing schemes involving traffic infringement.
FBI’s Alert Message
FBI alerted that scammers have been spoofing the Bureau’s phone numbers in government impersonation fraud schemes. The FBI recommends against paying the ransom because it does not guarantee full file recovery. Furthermore, it motivates threat actors to keep up the pressure and do as much damage as possible. Nonetheless, due to the devious extortion techniques used by ransomware operators, companies are often forced to pay the ransom. As a result, it is recommended that you follow FBI’s advice and report ransomware incidents to the IC3.