# The return of Mamba ransomware **securelist.com/the-return-of-mamba-ransomware/79403/** [Malware descriptions](https://securelist.com/category/malware-descriptions/) [Malware descriptions](https://securelist.com/category/malware-descriptions/) 09 Aug 2017 minute read ----- Authors Anton Ivanov [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) At the end of 2016, there was a major attack against San Francisco’s Municipal Transportation Agency. The attack was done using Mamba ransomware. This ransomware uses a legitimate utility called DiskCryptor for full disk encryption. This month, we noted that the group behind this ransomware has resumed their attacks against corporations. ----- ## Attack Geography We are currently observing attacks against corporations that are located in: Brazil Saudi Arabia ## Attack Vector ----- As usual, this group gains access to an organization s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. Example of malware execution ## Technical Analysis In a nutshell, the malicious activity can be separated into two stages: Stage 1 (Preparation): Create folder “C:\xampp\http“ Drop DiskCryptor components into the folder Install DiskCryptor driver Register system service called DefragmentService Reboot victim machine Stage 2 (Encryption): Setup bootloader to MBR and encrypt disk partitions using DiskCryptor software Clean up Reboot victim machine **Stage 1 (Preparation)** As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources. DiskCryptor modules ----- Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder. The malware drops the necessary modules After that, it launches the dropped DiskCryptor installer. The call of the DiskCryptor installer When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters. ----- The creation of the malicious service’s function The last step of Stage 1 is to reboot the system. ----- Force reboot function **Stage 2 (Encryption)** Using the DiskCryptor software, the malware sets up a new bootloader to MBR. The call for setting up a bootloader to MBR The bootloader contains the ransom message for the victim. ----- Ransomware note After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper. The call tree of encryption processes When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen. Ransom notes ----- Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic. ## Decryption Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms. ## IOCs: 79ED93DF3BEC7CD95CE60E6EE35F46A1 [Encryption](https://securelist.com/tag/encryption/) [Malware Descriptions](https://securelist.com/tag/malware-descriptions/) [Malware Technologies](https://securelist.com/tag/malware-technologies/) [MBR](https://securelist.com/tag/mbr/) [Ransomware](https://securelist.com/tag/ransomware/) [Targeted attacks](https://securelist.com/tag/targeted-attacks/) Authors Anton Ivanov [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) The return of Mamba ransomware Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm ### GReAT Ideas. Balalaika Edition From the same authors ----- ### Sodin ransomware exploits Windows vulnerability and processor architecture KeyPass ransomware ----- ### SynAck targeted ransomware uses the Doppelgänging technique Mining is the new black ----- ### Bad Rabbit ransomware Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----