The return of Mamba ransomware
By Anton Ivanov
Published: 2017-08-09 · Archived: 2026-04-05 22:53:19 UTC
At the end of 2016, there was a major attack against San Francisco’s Municipal Transportation Agency. The attack
was done using Mamba ransomware. This ransomware uses a legitimate utility called DiskCryptor for full disk
encryption. This month, we noted that the group behind this ransomware has resumed their attacks against
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 1 of 8

corporations.
Attack Geography
We are currently observing attacks against corporations that are located in:
Brazil
Saudi Arabia
Attack Vector
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 2 of 8

As usual, this group gains access to an organization’s network and uses the psexec utility to execute the
ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor
generates a password for the DiskCryptor utility. This password is passed via command line arguments to the
ransomware dropper.
Example of malware execution
Technical Analysis
In a nutshell, the malicious activity can be separated into two stages:
Stage 1 (Preparation):
Create folder “C:\xampp\http“
Drop DiskCryptor components into the folder
Install DiskCryptor driver
Register system service called DefragmentService
Reboot victim machine
Stage 2 (Encryption):
Setup bootloader to MBR and encrypt disk partitions using DiskCryptor software
Clean up
Reboot victim machine
Stage 1 (Preparation)
As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The
malicious dropper stores DiskCryptor’s modules in their own resources.
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 3 of 8

DiskCryptor modules
Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The
necessary modules will be dropped into the “C:\xampp\http” folder.
The malware drops the necessary modules
After that, it launches the dropped DiskCryptor installer.
The call of the DiskCryptor installer
When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and
SERVICE_AUTO_START parameters.
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 4 of 8

The creation of the malicious service’s function
The last step of Stage 1 is to reboot the system.
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 5 of 8

Force reboot function
Stage 2 (Encryption)
Using the DiskCryptor software, the malware sets up a new bootloader to MBR.
The call for setting up a bootloader to MBR
The bootloader contains the ransom message for the victim.
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 6 of 8

Ransomware note
After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a
command line argument for the dropper.
The call tree of encryption processes
When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen.
Ransom notes
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 7 of 8

Kaspersky Lab products detect this threat with the help of the System Watcher component with the following
verdict: PDM:Trojan.Win32.Generic.
Decryption
Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this
legitimate utility uses strong encryption algorithms.
IOCs:
79ED93DF3BEC7CD95CE60E6EE35F46A1
Source: https://securelist.com/the-return-of-mamba-ransomware/79403/
https://securelist.com/the-return-of-mamba-ransomware/79403/
Page 8 of 8