FBI Issues Alert on Mamba RansomwareMalware's Use of Legitimate Encryption Software Makes It Difficult to Detect
The FBI and the U.S. Department of Homeland Security have issued a warning about Mamba ransomware that uses a weaponized version of the legitimate, open-source encryption software DiskCryptor to lock victims out of their systems.
The alert was likely issued due to a spike in Mamba ransomware attacks spotted by federal authorities, says Drew Schmitt, senior threat intelligence analyst at GuidePoint Security, who says that Mamba warrants a high-level warning is because it's so difficult to detect and is widely used by attackers.
"The reason ransomware groups such as Mamba are particularly dangerous is because during their ransomware operations, they use applications that can be used legitimately by systems administrators and IT professionals," Schmitt says. "This makes it more difficult to detect these types of ransomware groups within an environment."
Mamba, which has been in use since about 2016, does have a flaw. The FBI alert notes that with each attack, there's a small window of opportunity to recover the password created by the attacker and then recover the system without paying the ransom.
The FBI alert does not offer details on the number of Mamba-related attacks spotted, but it notes that attackers are using the ransomware to target a wide variety of targets, including local governments, transportation agencies, legal services, technology services as well as industrial, commercial, manufacturing and construction businesses.
"From my experience, incidents relating to Mamba ransomware are common, but they are not as active as other ransomware variants, such as Ryuk, Egregor or Maze," Schmitt says.
Austin Berglas, global head of professional services with the cyber risk management firm BlueVoyant, notes that Mamba was used in the 2017 attack on the San Francisco Municipal Transportation Agency.
Joseph Cortese, penetration testing practice lead at the security and compliance firm A-LIGN, says there were Mamba waves in 2017, 2019 and 2020. "It's a strain that gets updated and modified over time, so we should expect it will continue to be adapted for more nefarious purposes," he says.
Steps in a Mamba Attack
A Mamba attack begins with attackers gaining access to a victim's system by using internet-exposed Remote Desktop Protocol or other unsecured methods of remote access, Schmitt says.
In the next step, the FBI alert says, the attackers set up the encryption key via the command-line parameter and create a password. The ransomware extracts a set of files, installs DiskCryptor and, two minutes after that program installs encryption software, conducts a restart. The encryption process then runs for the next two hours, at which point the system reboots.
The password created at this stage is the key to unlocking a system without having to pay the attacker's ransom demand, the alert says.
"If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom," according to the alert.
If the files are not detected and the encryption process runs its course, the system displays the ransom note, including the attackers' email address, ransomware file name, the host system name and a place to enter the decryption key. The attackers instruct the victims to contact them to pay the ransom in exchange for the decryption key, the alert says. The amount of ransom demanded was not mentioned in the alert.
The fact that Mamba requires so many steps may be one reason it is not more commonly used, Schmitt says.
The most important defensive measure, the alert says, is that if an organization does not use DiskCryptor, it should add the key artifact files used by DiskCryptor to the organization's execution blacklist. That way, any attempts to install or run this encryption program and its associated files should be prevented.
Other risk mitigation tips provided by the FBI include:
- Implement network segmentation;
- Require administrator credentials to install software;
- Disable unused remote access/RDP ports and monitor remote access/RDP logs;
- Only use secure networks and avoid using public Wi-Fi networks;
- Consider installing and using a VPN.