FBI Issues Alert Concerning Mamba Ransomware

A rise in cyberattacks employing Mamba ransomware made the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to release a flash alert cautioning agencies and businesses in various sectors concerning the potential issues of the ransomware.

Unlike a lot of ransomware variants with their unique encryption activities, Mamba ransomware has adapted the free full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a good encryption tool that isn’t malicious and is hence impossible to be noticed as such by security software programs.

The FBI hasn’t given any specifics about the severity to which the ransomware has been employed in attacks, which have thus far mainly targeted government bureaus and transportation, legal companies, commercial, technology, industrial, construction, manufacturing corporations.

Various strategies are utilized to obtain access to systems to install the ransomware, such as taking advantage of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured options of remote access.

Instead of looking for specified file extensions to encrypt, Mamba ransomware employed DiskCryptor to encrypt the complete drives, causing all affected devices to be out of service. Right after encryption, a ransom note is viewable that notifies the victim that their drive was corrupted. It gives an email address for communication, the victim’s Hostname And ID, and a space to type the decryption key to bring back the drive.

The Mamba ransomware package has a DiskCryptor, which is unpacked and put in. The system is rebooted after about two minutes to finish the installation, then the encryption routine starts. A second restart will occur approximately two hours after which wraps up the encryption activities and presents the ransom notice.

An attack in progress could be prevented before the second reboot. The encryption key as well as the shutdown time variable are kept in the myConfig.txt file, which continues to be readable prior to the second restart. The myConfig.txt is not accessible following the second restart and the system is going to necessitate the decryption key to gain access to files. This provides system defenders a limited time to prevent an attack and recover without needing to pay the ransom. A record of DiskCryptor files is provided in the notification to help network defenders recognize ongoing attacks. These files must be blacklisted in case DiskCryptor isn’t utilized.

The FBI TLP: White Alert furthermore recommends mitigations that will make it tougher for an attack to achieve good results, to control the consequence of a successful attack, and make certain that systems could be re-established without giving ransom payment.

Indicated mitigations comprise of:

  1. Making a back up data and saving the copies on an air-gapped product.
  2. Segmenting systems.
  3. Establishing systems to just letting administrators to install software program.
  4. Patching operating systems, applications, and firmware quickly.
  5. Using multifactor authentication.
  6. Implementing very good password hygiene.
  7. Switching off rarely used remote access/RDP ports and tracking access logs.
  8. Just employing protected networks and using a VPN for remote access.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone