Back in September 2016, a ransomware called Mamba was discovered by a Morphus Labs security researcher. While typical crypto-malware encrypts a pre-determined set of files, Mamba goes for the bigger slice of the pie, and locks up the whole hard drive. It will also manipulate the system’s boot process, ultimately making it impossible to use the computer.
It seems that the cybercriminals behind the malware have recently returned, back to target more corporations. According to a blog post by Anton Ivanov and Orkhan Mamedov, malware analysts at Kaspersky Lab, the latest attacks are being carried out against targets in Brazil and Saudi Arabia. Mamba still utilizes the legitimate open source program called DiskCryptor, which is responsible for locking up the entire hard drive.
Once this is installed, the system is forced to restart. The malware will now start to modify the Master Boot Record (MBR), and then disk partitions would be encrypted with a password. As soon as the process is complete, another restart will be carried out. Rather than booting to the correct operating system, victims will see a ransom note instead, which reads:
”Your Data Encrypted, Contact For Key( Mcrypt2017@yandex.com OR citrix2234@protonmail.com ) Your ID: 721 . Enter Key:
Unfortunately, there are no known methods to decrypt files or drives locked up by the Mamba ransomware. Kaspersky attributes this to the strong encryption algorithms used by the program.
With such nasty malware out in the wild, it pays to be careful of our activities on the internet. Staying away from malicious websites can help, in order to significantly reduce the risk of having our important files locked up for money.
Source: Kaspersky Lab via ZDNet | HDD image via Shutterstock