In November 2016, Mamba ransomware targeted the San Francisco Municipal Transportation Agency (Muni). The hackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to disable the encryption. Muni refused to pay up, instead choosing to recover files from backups. However, the Mamba ransomware attack still proved expensive to the company. The attack took its fare system out of action and passengers were permitted to travel for free for more than a day, a normal weekend day’s takings would be around $120,000.
Since then the Mamba ransomware has not been seen so much. However, this month has seen several Mamba ransomware attacks, suggesting that the gang behind the malware is operating again. Those attacks are geographically focused with companies in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first noticed the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption instead of searching for and encrypting certain file types. That means a Mamba ransomware attack will stop the operating system from running.
Once downloaded, the malware forces a reboot of the system and changes the Master Boot Record and encrypts disk partitions and reboots again, this time victims are shown a warning screen advising data have been encrypted. The attacks share some commonalies with the NotPetya (ExPetr) attacks of June.
The algorithms which used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk becomes encrypted, victims face complete file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the most recent attacks make no mention of payment of a ransom. Victims are just told to email one of two email addresses for the decryption key.
The reason for this approach is it enables ransoms to be set by the hackers on an infection by infection basis. Once the extent of encryption is seen and the victim is identified, the hackers can set the ransom payment accordingly.
It is not yet known whether the hackers hold the keys to unlock the encryption and whether payment of the ransom will lead to file recovery. Kaspersky reports that the group responsible for this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the aim is not to obtain ransoms but to sabotage companies.