Advanced Notification of Cyber Threats Against Mamba Ransomware

Advanced Notification of Cyber Threats against Mamba Ransomware

Security Advisory AE-Advisory 17-42 Criticality Critical

Advisory Released On 13 August 2017

Impact

Mamba ransomware fully encrypts the hard drive of an infected machine.

Solution

Adhere the advices written under the solution section.

Affected Platforms

 Windows Operating System (OS)

Summary

As the leading trusted secure cyber coordination center in the region, aeCERT has researched and found about a ransomware that is new to the region currently named as “Mamba Ransomware”. Mamba ransomware uses DiskCryptor to encrypt the disks by using a very strong full disk encryption method. The hacker uses psexec utility to gain access to the network and infect the machine with the malware. The malware goes deep into the system to gain access to all services, forces the machine to restart, then starts to encrypt the disk.

Advisory Details

Mamba ransomware’s initial distribution is similar to other ransomware-type viruses, such as WannaCrypt and Petya. Furthermore, Mamba is used against corporations and organizations. The attacker uses Mamba ransomware to encrypt the hard drive of the victim’s machine. This ransomware uses a legitimate utility called DiskCryptor to achieve full disk encryption of the infected machine on the Master Boot Record level. In order to decrypt the machine, the victim is asked to contact the attacker for the decryption of the hard drive. This group of attackers need to gain access to the network of the company by using psexec utility to run the ransomware on the victim’s machine.

The exploit generates a password for DiskCryptor utility. This password will go through a command line argument to the ransomware dropper. There are two stages in Mamba ransomware. The first stage is called preparation, where it creates a folder “C:\xampp\http”, then it drops the DiskCryptor in the created folder (it identifies the OS information whether 32bit or 64bit, then it drops the file accordingly in the specified folder). After the files are dropped, the application will install the DiskCryptor driver.

In stage one, when DiskCryptor is installed, the malware creates a service that has two parameters “SERVICE_ALL_ACCESS” and “SERVICE_AUTO_START”. (Register system service is called “DefragmentService”).

The final step in stage one is to reboot the victim’s machine.

In the second stage, the malware starts to encrypt the disk drive using DiskCryptor, and then the ransomware sets up a new bootloader in the MBR (Master Boot Record).

After setting the bootloader, the victim will see a ransom message with the email address of the attacker to contact him for the decryption key.

Indicator of Compromise (IOCs)

79ED93DF3BEC7CD95CE60E6EE35F46A1

Solution

It is almost impossible to decrypt the data after Mamba successfully encrypts the hard drive. Furthermore, In case of infection, we strongly urge you to not pay any ransom.

To avoid infection, entities are recommended with the following:  Apply caution when opening unknown files and unknown e-mails  Block SMB ports or services at firewall level  Apply MS17-010 patch as well as that CVE-2017-0199  Have offline backups  Users and administrators of older Windows systems such as Windows XP, Vista, and Server 2003 should update to a newer version, as Microsoft has stopped releasing patches for the devices.  Use Network analytics tools to detect any outgoing Tor connections  Migrate from older Windows operating systems to the latest patched operating systems.  Apply vendor patches as soon as they are available

References

Securelist

Tel (+971) 4 230 0003 Fax (+971) 4 230 0100 Email info[at]aeCERT.ae

For secure communications with aeCERT with regards to sensitive or vulnerability information please send your correspondences to aeCERT[at]aeCERT.ae