Weakness in Mamba ransomware could help recover data
A two-hour gap before system restart could save organizations from paying the ransom


The FBI has warned hackers deployed the Mamba ransomware against several public and private organizations, but a flaw in the malware could allow companies to get their encrypted data back.
In an alert, the feds said hackers used the ransomware against local governments, public transportation agencies, legal services, technology services, and industrial, commercial, manufacturing and construction businesses.
Mamba encrypts data using DiskCryptor — an open source full-disk encryption software — to restrict victim access by encrypting an entire drive, including the operating system. While this software isn’t inherently malicious, the FBI warned hackers have weaponized it.
Sierra Wireless halts production after ransomware attack Acer falls victim to $50 million ransomware attack The most popular ransomware strains targeting UK businesses What is ransomware?
Once data has been encrypted, the system displays a ransom note including the hacker’s email address, ransomware file name, the host system name, and a place to enter the decryption key.
However, the FBI noted that installing DiskCryptor requires a system restart to add essential drivers. The ransomware program restarts the system about two minutes after the installation to complete the driver installation. The encryption key and the shutdown time variable are saved to a configuration file (myConf.txt) and are readable until the second restart about two hours later, concluding the encryption and displays the ransom note.
“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, organizations can recover the password without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” a statement from the FBI read.
The alert provided details on the ransomware’s key artifacts that could help organizations detect such a ransomware attack.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented,” the FBI said.
The FBI recommended that organizations carry out regular data backups and air gap and password protect this data offline. Organizations should also make copies of critical data inaccessible for modification or deletion from the system where the data resides.
The Bureau also recommended organizations implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years