The Brazilian information security research group Morphus Labs has discovered the Mamba ransomware which uses disk-level encryption.
The Mamba Ransomware Uses Disk-Level Encryption
The Mamba ransomware has been identified on September 7 during an incident response procedure by Renato Marinho, a security expert at Morphus Labs. This malware threat uses disk-level encryption which causes much more damage that the individual file-based attacks. The criminal developers have used the open source tool DiskCryptor to encrypt the information.
A comparison was made with the Petya virus which also uses disk-encryption. However, Petya encrypts only the Master File Tables (MFT) which does not affect the data itself.
Upon successful infiltration, Mamba creates its folder titled DC22 in the C drive of the computer where it places its binary files. A system service is created which hosts the process of the ransomware. A new user named mythbusters is created associated with the 123456 password.
It also overwrites the master boot record (MBR) of the system disk which contains the boot loader for the operating system. This effectively prohibits the user from even loading the operating system without inputting the decryption code.
The ransom message requests the users to pay the sum of 1 BTC per infected machine to the attackers. The researchers have noted the malicious operators have mentioned servers in the text. This probably means that Mamba can be used to attack server farms and other important network hosts.
Mamba is distributed via exploit kits, infected DLL files, malicious Javascript code or downloads. It is very likely that the used cryptography cipher is AES-512 which is impossible to crack. Various Trojans can also carry the Mamba payload as a part of an efficient, aggressive attack against high-profile targets.
At the current moment, there is no decryption utility that can restore the Mamba infected drives.