The Federal Bureau of Investigation (FBI) published an alert to warn that the Mamba ransomware is abusing the DiskCryptor open-source tool (aka HDDCryptor, HDD Cryptor) to encrypt entire drives.
Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks. Mamba leverages a disk-level encryption strategy instead of the conventional file-based one.
The first sample of Mamba Ransomware discovered in the wild was using the full disk encryption tool DiskCryptor to strongly encrypt the data. DiskCryptor allows users to encrypt all disk drives, including the system partition, it is an alternative to Microsoft’s BitLocker.
Mamba was first spotted on September 2016 when experts at Morphus Labs discovered the infection of machines belonging to an energy company in Brazil with subsidiaries in the United States and India.
The researchers shared a detailed analysis on Security Affairs, they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool.
According to the flash alert published by the FBI, the Mamba ransomware was employed in attacks against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses
“Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized.” reads the alert published by the FBI. “Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key.”
The ransomware is simple, it is composed of the opensource, off-the-shelf, disk encryption software DiskCryptor wrapped in a program that installs and executes the disk encryption in the background using a key provided by the attacker before restarting the machine. Once the encryption process is completed the system is restarted again and the malicious code displays the ransom note to the victim.
The ransom note includes information such as host system name, the threat actor’s email address, the ransomware file name, and indications on where to enter the decryption key. Furthermore, victims are told to contact the attackers by email to receive information on how they can pay a ransom to receive the decryption key.
“The attacker passes the encryption key via the command-line parameter: [Ransomware Filename].exe . The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation.” continues the alert.
The malware saves the encryption key and the shutdown time variable is a configuration file named myConf.txt, which is readable until the second system restart, about two hours later which concludes the encryption and displays the ransom note on the infected system.
According to the alert, when one of the DiskCryptor files are detected, in order to attempt to recover the files without paying the ransom, it is possible to determine if the myConf.txt is still accessible and then recover the password. This opportunity is limited to the point in which the system reboots for the second time.
The alert provides a list of mitigations to stay protected from ransomware families:
• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of
critical data are not accessible for modification or deletion from the system where the data
• Implement network segmentation.
• Require administrator credentials to install software.
• If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to
the organization’s execution blacklist. Any attempts to install or run this encryption program
and its associated files should be prevented.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary
data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage
device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are
• Use multifactor authentication where possible.
• Regularly, change passwords to network systems and accounts, and avoid reusing passwords
for different accounts. Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least
privilege in mind.
• Install and regularly update anti-virus and anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using
“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the FBI concludes.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Mamba ransomware)