- Joined
- Dec 3, 2020
- Messages
- 1,353
The Federal Bureau of Investigation has issued a flash alert to Americans highlighting the dangers of Mamba ransomware.
According to the Bureau, Mamba has been deployed against local governments, public transportation agencies, legal services, technology services, and industrial, commercial, manufacturing, and construction businesses.
The ransomware works by weaponizing an open source full-disk encryption software called DiskCryptor. By encrypting an entire drive, including the operating system, the software restricts victim access.
"DiskCryptor is not inherently malicious but has been weaponized," said the FBI in the alert issued March 23.
"Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key."
Mamba ransomware victims are instructed to contact their attacker's email address and make a payment in exchange for a key that will decrypt their drive.
According to the FBI, there is a way for fast-acting victims to recover their files without putting a dent in their bank balance.
"The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note," said the FBI.
"If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time."
The warning was issued in conjunction with a number of recommended mitigations that included implementing network segmentation and requiring administrator credentials to install software.
Users were advised to regularly back up data, air gap, and password protect backup copies offline and to "ensure copies of critical data are not accessible for modification or deletion from the system where the data resides."
Paying ransoms is not encouraged by the FBI, which warns that acquiescing to threat actors' demands will not guarantee that files will be recovered.
"It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," said the Bureau.
According to the Bureau, Mamba has been deployed against local governments, public transportation agencies, legal services, technology services, and industrial, commercial, manufacturing, and construction businesses.
The ransomware works by weaponizing an open source full-disk encryption software called DiskCryptor. By encrypting an entire drive, including the operating system, the software restricts victim access.
"DiskCryptor is not inherently malicious but has been weaponized," said the FBI in the alert issued March 23.
"Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key."
Mamba ransomware victims are instructed to contact their attacker's email address and make a payment in exchange for a key that will decrypt their drive.
According to the FBI, there is a way for fast-acting victims to recover their files without putting a dent in their bank balance.
"The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note," said the FBI.
"If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time."
The warning was issued in conjunction with a number of recommended mitigations that included implementing network segmentation and requiring administrator credentials to install software.
Users were advised to regularly back up data, air gap, and password protect backup copies offline and to "ensure copies of critical data are not accessible for modification or deletion from the system where the data resides."
Paying ransoms is not encouraged by the FBI, which warns that acquiescing to threat actors' demands will not guarantee that files will be recovered.
"It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," said the Bureau.
