The FBI Flash, the US Federal Bureau of Investigations’ alerting service, released a private alert to organizations about Mamba ransomware in which it gives security recommendations and reveals a weak spot in the ransomware.
The FBI discovered a flaw in the malware’s encryption process that could help effected organizations to remediate the attack without paying the ransom.
In the alert [PDF], the FBI says cybercriminals have been targeting with Mamba ransomware entities in the public and private sector, including local governments, legal services, technology services, transportation agencies, and industrial, commercial, manufacturing, and construction businesses.
Mamba ransomware (a.k.a. HDDCryptor) uses an open-source software solution DiskCryptor to encrypt the victim’s computer with a key known only to the attacker.
Mamba ransomware overwrites the disk’s master boot record (MBR), which prevents access to encrypted files on the drive and makes it difficult to track the attacks because automated services like ID-Ransomware cannot analyze the files.
The FBI explains that installing DiskCryptor requires a system restart to add necessary drivers. And one more restart happens once the encryption process completes, around two hours later. After this, the computer is encrypted and the ransom note is shown to the victim.
There is no protection around the encryption key, it is saved in plaintext. The FBI advises using this two-hour gap as an opportunity to try to remove Mamba ransomware.
“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” said the FBI.
The FBI provides the following artifacts that organizations can look for on their computers in the two-hour gap to detect and remove Mamba ransomware:
| Key Artifacts | |
| Files | Description |
| $dcsys$ | Located in the root of every encrypted drive [i.e.C:\$dcsys$] |
| C:\Users\Public\myLog.txt | Ransomware log file |
| C:\Users\Public\myConf.txt | Ransomware configuration file |
| C:\Users\Public\dcapi.dll | DiskCryptor software executable |
| C:\Users\Public\dcinst.exe | DiskCryptor software executable |
| C:\Users\Public\dccon.exe | DiskCryptor software executable |
| C:\Users\Public\dcrypt.sys | DiskCryptor software executable |
| C:\Windows\System32\Drivers\dcrypt.sys | Installed DiskCryptor driver |
| [Ransomware Filename].exe | Portable 32-bit .NET assembly compatible with 32-bitand 64-bit Windows systems which combinesDiskCryptor with a simple ransom message upon boo |
| dcinst.exe | Cryptor installer support |
| dccon.exe | Console version od DiskCryptor |
In addition, attackers may use myCryptoraphyService which runs [Ransomware Filename].exe as a service and is removed once encryption is completed, the FBI said.
