Ransomware, once it has infected a system, typically encrypts files. Most variants of the malware up until this point have acted in this manner. Starting with the ransomware entitled Petya, however, security researchers saw ransomware that attacked the very core of the system. It seems this tactic hasn’t subsided as researchers have identified a new hard-drive attacking ransomware.
Named Mamba, the ransomware was discussed by Renato Marinho of Morphus Labs in a recent LinkedIn post. Marinho states in this post that Mamba notifies users of its infection via the message, “You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 123152.” By the point this text shows on your screen, Mamba has already encrypted your hard drive. The encryption is carried out by DiskCryptor, an open-source disk partition encryption software. The types of encryption that DiskCryptor supports are AES-256, Twofish, and Serpent. DiskCryptor itself is not a malicious program; it is simply being manipulated by the cyber criminals using the Mamba ransomware.
According to the Morphus Labs post, Mamba has been discovered on machines in India, Brazil (Morphus’ home country), and the United States. Furthermore, the attack vector for the ransomware has been identified as phishing emails. This was uncovered via an interview with Renato Marinho by Kasperky Labs’ blog ThreatPost.
The ransomware gives an email address to contact, and in a return email a ransom of 1 bitcoin is demanded, along with instructions how to carry out payment. Once the payment is made, the attackers give the victim the password to remove Mamba from their system. The email itself shows a picture of someone wearing a Guy Fawkes mask going by the alias “andy saolis.” This information is not helpful, but the usage of the popular V for Vendetta mask could mean a few things.
One theory is that the attackers are actually script kiddies who are in way over their heads. But this is unlikely as these attacks, while utilizing pre-existing software, are actually carried out with some knowledge of systems. Another possibility is that these actors consider themselves to be a part of the ever malleable black hat group Anonymous. This is pure conjecture, and honestly I don’t see any indications other than the symbolism that this is the case. One final possibility is that the threat actors are using imagery associated with a feared (lol) hacking collective to scare their victims into payment. In my view, this is the most likely conclusion, because fear is the greatest motivator in getting ransomware victims to pay up.
At the moment Mamba appears to only affect Windows systems, but if the threat actors get smart this could change quickly. Unlike the aforementioned Petya, there is no decryptor for Mamba at this time. Your best bet, especially if you are running a Windows OS, is to exercise extreme caution with your emails and their subsequent links.
Photo credit: Morphus Labs