FBI Issues Warning About Mamba Ransomware
An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware.
In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software.
The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies.
Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access.
Rather than searching for certain file extensions to encrypt, Mamba ransomware used DiskCryptor to encrypt entire drives, rendering all infected devices inoperable. After encryption, a ransom note is displayed that alerts the victim that their drive has been infected and an email address is provided for contact, the victim’s ID and Hostname, and a place to enter the decryption key to restore the drive.
The Mamba ransomware package includes DiskCryptor, which is unpacked and installed. The system is rebooted after around two minutes to complete the installation, and the encryption routine is started. A second restart will take place around two hours later which completes the encryption routine and displays the ransom note.
It is possible to stop an attack in progress up until the second restart. The encryption key and the shutdown time variable are saved to the configuration file – myConfig.txt – which remains readable until the second restart. The myConfig.txt cannot be accessed after the second restart and the decryption key will then be required to decrypt files. This gives network defenders a short window of opportunity to stop an attack and recover without having to pay the ransom. A list of DiskCryptor files is included in the alert to help network defenders identify attacks in progress. These files should be blacklisted if DiskCryptor is not used.
The FBI TLP: White Alert also details mitigations that will make it harder for an attack to succeed, to limit the impact of a successful attack, and ensure that systems can be recovered without paying the ransom.
Suggested mitigations include:
- Backing up data and storing the backups on an air-gapped device.
- Segmenting networks.
- Configuring systems to only allow software to be installed by administrators.
- Patching operating systems, software, and firmware promptly.
- Implementing multifactor authentication.
- Maintaining good password hygiene.
- Disabling unused remote access/RDP ports and monitoring access logs.
- Only using secure networks and implementing a VPN for remote access.