The FBI has warned hackers deployed the Mamba ransomware against several public and private organizations, but a flaw in the malware could allow companies to get their encrypted data back.
In an alert, the feds said hackers used the ransomware against local governments, public transportation agencies, legal services, technology services, and industrial, commercial, manufacturing and construction businesses.
Mamba encrypts data using DiskCryptor — an open source full-disk encryption software — to restrict victim access by encrypting an entire drive, including the operating system. While this software isn’t inherently malicious, the FBI warned hackers have weaponized it.
Sierra Wireless halts production after ransomware attack Acer falls victim to $50 million ransomware attack The most popular ransomware strains targeting UK businesses What is ransomware?
Once data has been encrypted, the system displays a ransom note including the hacker’s email address, ransomware file name, the host system name, and a place to enter the decryption key.
However, the FBI noted that installing DiskCryptor requires a system restart to add essential drivers. The ransomware program restarts the system about two minutes after the installation to complete the driver installation. The encryption key and the shutdown time variable are saved to a configuration file (myConf.txt) and are readable until the second restart about two hours later, concluding the encryption and displays the ransom note.
“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, organizations can recover the password without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” a statement from the FBI read.
The alert provided details on the ransomware’s key artifacts that could help organizations detect such a ransomware attack.
“If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented,” the FBI said.
The FBI recommended that organizations carry out regular data backups and air gap and password protect this data offline. Organizations should also make copies of critical data inaccessible for modification or deletion from the system where the data resides.
The Bureau also recommended organizations implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location.
-
‘Always on’ culture is harming productivity, so workers are demanding ‘digital silence’ to get on with tasksNews Tired of relentless notifications, emails, and messages? You're not alone. Workers across a range of industries are calling for 'digital silence' periods to boost productivity.
-
Dell Pro 14 Plus laptop reviewReviews A solid business laptop, but awkward pricing and bland design see it struggle to make a mark
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
