FBI Issues Advisory Regarding Mamba Ransomware

A spike in cyberattacks employing Mamba ransomware prompted the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to give a flash alert notifying organizations and companies in several sectors regarding the risks of the ransomware.

As opposed to numerous ransomware variants having their own encryption programs, Mamba ransomware has adapted the open-source full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a legit encryption tool that’s not malicious and is for that reason unlikely to be identified as such by security solutions.

The FBI has yet to give any information regarding the degree to which the ransomware has been utilized in attacks, which have to date primarily targeted government institutions and transportation, legal agencies, technology, commercial, industrial, manufacturing, construction firms.

A number of techniques are employed to get access to systems to set up the ransomware, which includes exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured means of remote access.

Rather than finding particular file extensions to encrypt, Mamba ransomware utilized DiskCryptor to encrypt the whole drives, making all attacked devices unusable. Following encryption, a ransom note is shown that tells the victim that their drive was attacked. It provides an email address for contact, the victim’s ID and Hostname, and an area to put the decryption key to recover the drive.

The Mamba ransomware package comes with a DiskCryptor, which is unpacked and set up. The system is rebooted after about two minutes to accomplish the installation, then the encryption routine begins. A second restart will happen approximately two hours afterward which finishes the encryption step and shows the ransom note.

An attack in progress can be stopped until the second restart. The encryption key and the shutdown time variable are stored in the myConfig.txt file, which can be read until before the second restart. The myConfig.txt can’t be accessed after the second restart and the system will require the decryption key to access files. This gives network defenders a brief opportunity to stop an attack and recover without the need to pay the ransom. A listing of DiskCryptor files is given in the advisory to help network defenders discover attacks in progress. These files ought to be blacklisted when DiskCryptor is not utilized.

The FBI TLP: White Alert also gives mitigations that will help prevent the success of an attack, restrict the effect in case of a successful attack, and make sure that systems may be brought back without paying the ransom demand.

Recommended mitigations consist of:

  • Saving a copy of data and keeping the backups on an air-gapped device.
  • Segmenting sites.
  • Setting up systems to only permitting administrators to install software programs.
  • Patching operating systems, software programs, and firmware immediately.
  • Employing multifactor authentication.
  • Having excellent password hygiene.
  • Deactivating unused remote access/RDP ports and keeping track of access logs.
  • Only utilizing secure networks and using a VPN for remote access.