On  March 23, the FBI issued a flash alert about an already known ransomware: Mamba. This malware hit the headlines in 2016 when it managed to infect the San Francisco Municipal Transport Agency’s (SFMTA) computers.  Although train services weren’t interrupted during the incident, for a few days the agency wasn’t able to sell tickets and passengers traveled free while the information boards displayed the message “you hacked” to the public. According to the FBI, Mamba has returned in 2021, recently affecting local governments, legal services, technology services, industrial, commercial, manufacturing and construction companies.

PSEXEC as a vector, DiskCryptor as an encryption tool_

As an access vector, Mamba hackers generally use PSEXEC to get in, a tool that allows control over computers in remote locations. It enables Administrators to perform remote maintenance tasks and execute commands in the destination host. As a command line interface, PSEXEC only requires the address, user details and password to gain access to the destination computer. We already mentioned this utility when we talked about Living Off The Land attacks such as the Petya/NotPetya case, which cybercriminals used in a similar way.

FBI: esquema de mensaje utilizado por Mamba

Once inside the systems and as usually happens with most ransomware, the victims receive a message urging them to pay a high sum of money in cryptocurrency. After paying this ransom, they obtain the decryption key to unblock their systems (although there are exceptions which go beyond these types of messages and use threats in the physical world, as we explained with the DoppelPaymer group). This ransomware uses DiskCryptor for encryption, it’s a legitimate open-source software tool that encrypts disk and network files and overwrites the Master Boot Record (MBR).

Fast recovery, backups and advanced solutions_

According to the FBI, there is a way that victims of this ransomware can recover their files avoiding permanent encryption: the encryption key and the variable that determines switch off time for systems is saved in a configuration file (myConf.txt) and can be read at least until the second reboot of the systems, which occurs automatically about two hours later. Once this time interval is reached, the systems block completely.  So, if any of the DiskCriptor files associated with the malware are detected very quickly during this time interval and the file myConf.txt is located, the password can be recovered without having pay the ransom.

Nonetheless, as we covered recently in the Ryuk ransomware case with the State Employment Public Service (SEPE), the FBI also recommends backing up systems regularly and constantly, as this enables users to restore operations as quickly as possible and without having to give in to blackmail if they are finally encrypted.

Lastly, the agency stresses that organizations need to have “antivirus software and anti-malware in all hosts”. Given the surge in ransomware and growing sophistication of this malware, SOCs must be equipped with the most advanced tools possible for their cybersecurity operations.

Cytomic Covalent is the solution to meet these needs, as it offers a full range of Endpoint protection functionalities through Cytomic EPDR. In addition, it includes Cytomic Orion, which speeds up Threat Hunting to reduce detection, mitigation and response time for incidents; this time interval is decisive to avoid being blocked and other harm being caused, as we have seen with Mamba.