The Mamba Ransomware that has hit San Francisco’s municipal railway system is back- targeting enterprises in new countries
Kaspersky Lab researchers claim to have discovered the group which carried out the Mamba attack and it has resumed the attacks – targeting corporations, so far mainly in Brazil and Saudi Arabia.
Usually, this group targets organization’s network and uses the psexec utility to execute the ransomware. It also targets each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.
Researchers have categorized the attacks in two separate stages:
Stage 1 (Preparation)
As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.
Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.
After that, it launches the dropped DiskCryptor installer. When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters. The last step of Stage 1 is to reboot the system.
Stage 2 (Encryption)
Using the DiskCryptor software, the malware sets up a new bootloader to MBR.
The bootloader contains the ransom message for the victim. After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper.
When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen. Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.
Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.
In late November 2016, a huge attack took place against San Francisco’s municipal railway. Perpetrated with ransomware called Mamba, the attack apparently took out more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA).
Businesses concerned about their potential vulnerability to this threat are advised to:
Always install critical software patches released by developers and use the latest software versions.
- Do not run or open attachments from untrusted sources.
- Backup sensitive data to external storage and keep it offline.
- Non-Kaspersky Lab customers can download the free Kaspersky Anti-Ransomware Toolfor business (KART).
- If a Kaspersky Lab solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on.