Mamba Ransomware Weakness Explored by the FBI

Mamba ransomware weakness explored by the FBI

The first record of a major attack where Mamba ransomware was used is from the end of 2016. According to the FBI, the attacks caused by this ransomware were primarily targeted against:

  • Local governments
  • Public transportation agencies
  • Legal services
  • Technology services
  • Industrial, commercial, manufacturing, and construction businesses.

Mamba ransomware, also known as HDDCryptor, uses open-source full disk encryption software named DiskCryptor. His goal is to restrict victim access by encrypting an entire drive in the background, including the operating system. As reported, DiskCryptor is not inherently malicious but has been weaponized.

 

Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes cyber secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise.

 

Possibility to Get the Encryption Key

After encryption, the system displays a note to the victim that includes actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are encouraged to contact the actor’s email address for payment of the ransom. After payment, the attackers promise the victims in exchange the decryption key, which is often not a guarantee that the system and all files will be restored to their original state.

On the other hand, FBI explains that setting up DiskCryptor demands a method restart to add necessary critical drivers. The ransomware application restarts the system about two minutes after the installation. The report further states that the carrier information, such as encryption key and shutdown time, is stored in the myConf.txt plaintext file.

Moreover, this file is readable until the second restart about two hours later. However, this means that the encryption key is not protected, and it is possible to use a two-hour time difference to recover the data. In addition, without paying a ransom.

The FBI also included in its report a list of artifacts that may help detect an attack caused by Mamba ransomware:

  • $dcsys$ – Located in the root of every encrypted drive,
  • C:\Users\Public\myLog.txt – Ransomware log file,
  • C:\Users\Public\myConf.txt – Ransomware configuration file,
  • C:\Users\Public\dcapi.dll – DiskCryptor software executable,
  • C:\Users\Public\dcinst.exe – DiskCryptor software executable,
  • C:\Users\Public\dccon.exe – DiskCryptor software executable,
  • C:\Users\Public\dcrypt.sys – DiskCryptor software executable,
  • C:\Windows\System32\Drivers\dcrypt.sys – Installed DiskCryptor driver,
  • [Ransomware Filename].exe – Portable 32-bit .NET assembly compatible with 32-bit and 64-bit Windows systems which combines DiskCryptor with a simple ransom message upon boot,
  • dcinst.exe – Cryptor installer support,
  • dccon.exe – Console version of DiskCryptor,
  • myCryptoraphyService – Runs [Ransomware Filename].exe as a service and is removed once encryption is completed.

“If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented,” this is one of the recommended mitigations reported by the FBI.

Conclusion

In conclusion, the FBI does not discourage or encourage for ransom if you are the victim of an attack by Mamba ransomware. They warn that even the payment of the ransom may not bring you a system renewal. However, the discovered weakness of this ransomware could help solve the situation. Whether you decide to pay or not, you need to report such incidents and consult with experts in the field.

 

References

FBI Warning