In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.
It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.
Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.
The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.
The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.
It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.
Businesses can enhance their defences against this and other malware variants by implementing WebTitan.
WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.