Security News > 2021 > March > FBI exposes weakness in Mamba ransomware, DiskCryptor

The FBI warns that Mamba ransomware attacks have been directed at entities in the public and private sector, including local governments, transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.

Mamba ransomware relies on an open-source software solution named DiskCryptor to encrypt victim computers in the background with a key defined by the attacker.

The FBI explains that installing DiskCryptor requires a system restart to add necessary drivers, which occurs with Mamba approximately two minutes after deploying the program.

Because there is no protection around the encryption key, as it is saved in plaintext, the FBI says that this two-hour gap is an opportunity for organizations hit by Mamba ransomware to recover it.

"If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time" - the FBI. The Mamba ransomware operation started to increase its activity with a new variant found in the second half of 2019.

One peculiarity of Mamba ransomware is that it overwrite the disk's master boot record, preventing access to encrypted files on the drive.

News URL

https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/