Mamba Ransomware: The Return of an Old Threat
Long long ago (in 2016), before the havoc brought by WannaCry and Petya there existed another dangerous ransomware that was named Mamba. Just like the snake the ransomware is named after, Mamba would likely throw you into a panic if it ever encountered your systems. What makes this particular ransomware so dangerous is that it doesn’t simply encrypt files, instead it takes whole hard drives. Once a hard drive is encrypted it’s impossible to break. Mamba was designed for sabotage according to Kaspersky and is back with a vengeance this time targeted organizations in Brazil and Saudi Arabia. Ransomware is just the mask of the malware, the reality is that destruction-focused malware is the new norm and will only continue to rise according to Kaspersky Lab’s global research team.
Brief Background of Mamba
Mamba first surfaced in September 2016 in a high profile attack on an energy company in Brazil. It used a legitimate open source software called DiskCryptor to lock down hard drives in the organization. Once a hard drive is encrypted by the software it cannot be decrypted, in essence nothing is recoverable. Shortly after that incident in November 2016 Mamba took out 900 PCs at the San Francisco Municipal Transport Agency, which caused the organization to allow free train rides to avoid severe operational disruption. The attackers demanded $73,000 to unlock the hard drives, the ransom was never paid. Mamba is rightfully one of the most destructive malwares available right now.
Current Targets & Method of Attack
Mamba has resurfaced in both Brazil and Saudi Arabia within corporate networks in those countries. With the resurgence companies globally should be on high alert. Petya alone costs one of its victims, Maersk, about $300 million. The amount of money this malware could cost may be much higher since recovery is not possible. The primary targets for Mamba are larger enterprises, as it’s intended to sabotage their networks.
Process of Attack
Kaspersky Lab has identified the process of attack for Mamba and it’s quite insidious. The attackers are able to access a company’s network by using the psExec utility which is common alternative for remote control of systems. When the attackers gain access to the network they begin stage one.
The first stage beings with the installation of the legitimate software DiskCryptor. In addition to this, a system service is created called ‘DefragmentService’. Immediately after the machine is rebooted. In the second stage, disk partitions are encrypted through DiskCryptor, followed by a reboot again. Meanwhile a new bootloader is created. The malware creates a new password for the DiskCryptor and drops the software on each machine in the network. Once the hard drive is encrypted a final reboot is made and upon starting up the ransom note appears.
The cyber criminals require all their victims to contact them to know the ransomware sum. Unlike other ransomware softwares, Mamba scales the demand of their ransom to how many endpoints are infected. It’s no doubt that it’s one of the most advanced malware developed to this date.
Despite Kaspersky’s efforts to identify Mamba there’s no effective way to counter it’s encryption once a network has been infected. The best deterrent is a set of backups, and that’s assuming the backups were not on the same server. This is a safer option than trusting the attackers to decrypt anything after you paid off a ransom to them.
So far, 2017 has been one of the most aggressive years when it comes to malware development and deployment. When Shadow Brokers did a data dump, which included the EternalBlue exploit from the NSA, it provided cyber criminals a new addition to their cyber arsenal. With the rise of destruction-oriented malware we find ourselves on a new frontier where companies will soon be defending from cyber attacks to maintain their continued existence rather than mitigating revenue losses.
Do you expect Mamba to spread as far as WannaCry did?