Mamba ransomware returns and encrypts entire disks

In November 2016, cybercriminals from Mamba coded computers belonging to the subway in San Francisco. The attack included more than 2,000 machines. Researchers from Kaspersky Lab have detected the resumption of dangerous activity - at the moment attacks are aimed mainly at companies from Brazil and Saudi Arabia.

To run the ransomware, the criminal group uses the PsExec tool, and to encrypt DiskCryptor files - the password generated for the DiskCryptor tool unique to each machine is passed to the ransomware dropper using arguments on the command line.

Encryption of the entire disk begins with:

  • create a c: \ xampp \ http folder and DiskCryptor components
  • DiskCryptor driver installation
  • launching the "DefragmentService" service
  • rebooting the machine
  • the loaded DiskCryptor bootloader starts encryption

To completely encrypt the disk, legal DiskCryptor software was used, which can be operated from the command line. The harmfulness and complexity of attacks by Mamba should be considered high - unlike other gangs using ransomware, the group uses tools that encrypt entire disks, which not only block access to data, but also prevent the computer from restarting until the ransom is paid by the victim.

Cybercriminals are increasingly attacking large organizations (both commercial and non-commercial), because they know that they have a lot to lose when access to data is blocked. We are talking about hospitals, trade and industrial organizations, as well as public transport. The strategy of these attacks seems to be quite obvious - these companies have so much to lose that they will be willing to pay a ransom for regaining access to data and computers.

Currently, there is no free way to decrypt this data.


Encrypted message in the bootloader.

Ransom information after encrypting the disk.


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.