Mamba Ransomware Resurfaces in Brazil, Saudi Arabia

Kaspersky Lab in its latest report claimed that Mamba, the ransomware which appeared last year in September on machines belonging to a energy company in Brazil with subsidiaries in the United States and India. Once the malware infects a Windows machine it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using an open source full disk encryption utility called DiskCryptor.

“Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms,” The report suggests also that the group behind the latest Mamba attacks in Brazil and Saudi Arabia uses the PSEXEC utility to execute the malware on the corporate network once it has a foothold. PSEXEC was at the heart of the ExPetr malware attacks, which shared a number of similarities to the Petya attacks.

ExPetr used PSEXEC and WMIC, another Windows utility, spread on local networks. Its goal was not profit, but destruction; analysts looking at the malware quickly the determined the ransomware functionality was faulty and victims would never be able to recover their files. The true purpose of those attacks was to wipe out the hard drive.

According to today’s report from Kaspersky Lab, attacks are happening in two  stages. During the first stage, DiskCryptor is dropped into a new folder created by the malware and installed. A system service called DefragmentService is registered for persistence, and the victim’s machine is rebooted.The second stage sets up the new bootloader and encrypts disk partitions using DiskCryptor before the machine is rebooted again.

“It is important to mention that for each machine in a victim’s network, the threat actor generates a password for the DiskCryptor utility,” Kaspersky Lab said in its report. “This password is passed via command line arguments to the ransomware dropper.”