April 30, 2021 By David Bisson 2 min read

The operators of the Mamba ransomware strain have added weaponized DiskCryptor to their ongoing attacks, the FBI warned. An open-encryption solution, DiskCryptor, is capable of encrypting all disk partitions including the system partition. While not malicious by itself, this enables Mamba to encrypt the entire drive, including the operating system. Attackers have used Mamba ransomware to target local governments, legal services and other entities.

Read on to learn about how the new ransomware variant takes advantage of DiskCryptor to encrypt its victims’ data.

Mamba’s Use of DiskCryptor

In its FLASH alert, the FBI wrote that Mamba consists of DiskCryptor wrapped in a program. The ransomware uses this program, along with a key of the attackers’ choosing, to install and begin disk encryption in the background, the warning noted.

From there, Mamba extracts some files and installs an encryption service. It then completes driver installation by restarting the system two minutes after DiskCryptor’s installation.

The ransomware concludes its encryption routine after saving its encryption key and shutdown time variable to the configuration file (myConf.txt). This file remains readable until the second restart, which occurs about two hours later.

Other Mamba Ransomware Attacks

In 2019, TrendMicro discovered a new variant of Mamba, also known as HDDCryptor. Much of what it could do was the same as previous iterations. Mamba arrived with a modified DiskCryptor component for the purpose of encrypting disk and network files as well as overwriting the Master Boot Record.

Another notable attack came in 2016, when the Mamba gang targeted San Francisco light-rail ticketing machines. The attack didn’t prevent the trains from running, but it did drop DiskCryptor onto several of the ticketing machines. In response, the agency opened its fare gates to minimize customer impact.

Several months later, the Mamba attackers resumed their attacks around the world. Kaspersky observed the malicious actors targeting groups in Brazil and Saudi Arabia.

How to Defend Against Mamba

The FBI ransomware report noted security defenders can try to determine if myConf.txt is still accessible in the event that they detect any of the DiskCryptor files. They can then try to recover their data without having to pay the ransom.

Even so, it’s not always possible to recover the encrypted data, and the last thing you want is to support ransomware as a business model. You therefore need to focus on prevention, not defense. Use awareness training to build a positive security culture. Those lessons should leverage fake phishing emails and other tests to make sure employees are familiar with common ransomware attack vectors.

Awareness isn’t enough in the face of ever-evolving threats like ransomware. Because of that, organizations need to blend their use of human controls with technical measures such as multifactor authentication and user behavior analytics. They can pair these measures with threat intelligence to stay current with the ransomware threat landscape and set up defenses before an attack happens.

More from News

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today