{ "id": "d6de105d-681e-451c-8314-96e4e0f8872d", "created_at": "2026-04-06T00:11:07.293431Z", "updated_at": "2026-04-10T03:21:01.727725Z", "deleted_at": null, "sha1_hash": "44b9f90015957b5a2d8b966b5d32229899c98bc9", "title": "The return of Mamba ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 319885, "plain_text": "The return of Mamba ransomware\r\nBy Anton Ivanov\r\nPublished: 2017-08-09 · Archived: 2026-04-05 22:53:19 UTC\r\nAt the end of 2016, there was a major attack against San Francisco’s Municipal Transportation Agency. The attack\r\nwas done using Mamba ransomware. This ransomware uses a legitimate utility called DiskCryptor for full disk\r\nencryption. This month, we noted that the group behind this ransomware has resumed their attacks against\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 1 of 8\n\ncorporations.\r\nAttack Geography\r\nWe are currently observing attacks against corporations that are located in:\r\nBrazil\r\nSaudi Arabia\r\nAttack Vector\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 2 of 8\n\nAs usual, this group gains access to an organization’s network and uses the psexec utility to execute the\r\nransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor\r\ngenerates a password for the DiskCryptor utility. This password is passed via command line arguments to the\r\nransomware dropper.\r\nExample of malware execution\r\nTechnical Analysis\r\nIn a nutshell, the malicious activity can be separated into two stages:\r\nStage 1 (Preparation):\r\nCreate folder “C:\\xampp\\http“\r\nDrop DiskCryptor components into the folder\r\nInstall DiskCryptor driver\r\nRegister system service called DefragmentService\r\nReboot victim machine\r\nStage 2 (Encryption):\r\nSetup bootloader to MBR and encrypt disk partitions using DiskCryptor software\r\nClean up\r\nReboot victim machine\r\nStage 1 (Preparation)\r\nAs the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The\r\nmalicious dropper stores DiskCryptor’s modules in their own resources.\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 3 of 8\n\nDiskCryptor modules\r\nDepending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The\r\nnecessary modules will be dropped into the “C:\\xampp\\http” folder.\r\nThe malware drops the necessary modules\r\nAfter that, it launches the dropped DiskCryptor installer.\r\nThe call of the DiskCryptor installer\r\nWhen DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and\r\nSERVICE_AUTO_START parameters.\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 4 of 8\n\nThe creation of the malicious service’s function\r\nThe last step of Stage 1 is to reboot the system.\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 5 of 8\n\nForce reboot function\r\nStage 2 (Encryption)\r\nUsing the DiskCryptor software, the malware sets up a new bootloader to MBR.\r\nThe call for setting up a bootloader to MBR\r\nThe bootloader contains the ransom message for the victim.\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 6 of 8\n\nRansomware note\r\nAfter the bootloader is set, disk partitions would be encrypted using a password, previously specified as a\r\ncommand line argument for the dropper.\r\nThe call tree of encryption processes\r\nWhen the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen.\r\nRansom notes\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 7 of 8\n\nKaspersky Lab products detect this threat with the help of the System Watcher component with the following\r\nverdict: PDM:Trojan.Win32.Generic.\r\nDecryption\r\nUnfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this\r\nlegitimate utility uses strong encryption algorithms.\r\nIOCs:\r\n79ED93DF3BEC7CD95CE60E6EE35F46A1\r\nSource: https://securelist.com/the-return-of-mamba-ransomware/79403/\r\nhttps://securelist.com/the-return-of-mamba-ransomware/79403/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/the-return-of-mamba-ransomware/79403/" ], "report_names": [ "79403" ], "threat_actors": [], "ts_created_at": 1775434267, "ts_updated_at": 1775791261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44b9f90015957b5a2d8b966b5d32229899c98bc9.pdf", "text": "https://archive.orkl.eu/44b9f90015957b5a2d8b966b5d32229899c98bc9.txt", "img": "https://archive.orkl.eu/44b9f90015957b5a2d8b966b5d32229899c98bc9.jpg" } }