The year 2016 is definitely going to be the year of Ransomware. In this year we have already witnessed some of the biggest names among Ransomwares such as Cerber and its variants, FairWare, Petya, Wildfire, and Zepto. And now a new player Mamba Ransomware has joined the league. The name Mamba comes from the deadly snake specie found in Central and Southern Africa.
The Ransomware Mamba has been found in India, Brazil and the United States. It was discovered by a Brazilian company Morphus Labs when it was investigating an infection at an energy firm which has its subsidiaries in India and the United States.
Source: Morphus Labs
As per the security experts at Morphus Labs, the Ransomware is being spread via emails through “phishing”. Once the user is tricked into downloading the infected file that comes as an attachment in the email, the malware installs and gets executed. Thereafter it overwrites the existing Master Boot Record with a custom MBR after which it encrypts the hard drive. Mamba uses disk-level cryptography to encrypt the whole partitions of the disk. In this sense it is quite advanced from other Ransomware that still use the traditional strategy of encrypting individual files. The malware targets the Windows operating system. Once the system is infected with Mamba it prevents it from booting up without a password. The password is infact the decryption key which the hackers provide only after a ransom is paid in Bitcoins. The hackers behind Mamba are demanding a ransom of one Bitcoin per infected host for providing the decryption key.
The disk-level cryptography used in Mamba is somewhat similar to the one used in Petya as both are targeting the disks. While Petya encrypts the Master File Table, Mamba on the other hand locks up the hard drives using an open source disk encryption tool called DiskCryptor. It is with this tool that Mamba encrypts the entire hard drive and not the individual files.