Security Affairs
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Mamba ransomware is back and targets organizations in Brazil and Saudi Arabia

Researchers at Kaspersky Lab discovered a new wave of attack leveraging the Mamba ransomware that hit organizations in Brazil and Saudi Arabia. Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks. Mamba leverages a disk-level encryption strategy instead of the conventional file-based one. A […]

mamba ransomware returns-9

Researchers at Kaspersky Lab discovered a new wave of attack leveraging the Mamba ransomware that hit organizations in Brazil and Saudi Arabia.

Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks.

Mamba leverages a disk-level encryption strategy instead of the conventional file-based one.

A similar Ransomware, called Petya, made the headlines for the recent massive attack and its disk encryption strategy. The first sample of Mamba Ransomware discovered in the wild were using a full disk encryption open source tool called DiskCryptor to strongly encrypt the data.

Mamba mostly targeted organizations in Brazil, it was also used by crooks in the attack against the San Francisco Municipal Transportation Agency occurred in November.

Researchers at Kaspersky Lab discovered a new wave of attack leveraging the Mamba ransomware that hit organizations in Brazil and Saudi Arabia.

Like the NotPetya massive attack, also Mamba appears to have been designed for sabotage, it is unclear if the malware was developed by crooks or by a nation-state actor.

Unlike the NotPetya attacks, it is not excluded that Mamba victims could decrypt their data.

“Authors of wiper malware are not able to decrypt victims’ machines. For example, if you remember the ExPetr [malware], it uses a randomly generated key to encrypt a victim machine, but the trojan doesn’t save the key for further decryption,” said Kaspersky Lab researcher Orkhan Memedov. “So, we have a reason to call it ‘a wiper.’ However, in case of Mamba the key should be passed to the trojan as a command line argument, it means that the criminal knows this key and, in theory, the criminal is able to decrypt the machine.”

Mamba was first spotted on September 2016 when experts at Morphus Labs discovered the infection of machines belonging to an energy company in Brazil with subsidiaries in the United States and India.

The researchers shared a detailed analysis on Security Affairs, they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool.

“Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms,” explained Kaspersky Lab.

The last samples of Mamba ransomware show an unusual ransom note that instead of demanding for money like the original Mamba, it provides two email addresses and an ID number to be used to recover the encryption key.

mamba ransomware 2

The threat actor behind the new wave of Mamba ransomware attacks leverages the PSEXEC utility to execute the malware on the corporate network once it has penetrated it. PSEXEC is the same tool used by NotPetya to spread within target networks.

The attack chain described by Kaspersky has two phases, in the first one attackers drop the DiskCryptor tool into a new folder created by the malware. The persistence is obtained by registering a system service called DefragmentService, then the system is rebooted.

The second phase sets up the new bootloader and encrypts disk partitions using DiskCryptor, then the machine is rebooted.

“It is important to mention that for each machine in a victim’s network, the threat actor generates a password for the DiskCryptor utility,” Kaspersky Lab said in its report. “This password is passed via command line arguments to the ransomware dropper.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mamba ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]