FBI Exposes Weaknesses In Mamba Ransomware, DiskCryptor

FBI Exposes Weaknesses In Mamba Ransomware

The FBI Flash, the US Federal Bureau of Investigations’ alerting service, released a private alert to organizations about Mamba ransomware in which it gives security recommendations and reveals a weak spot in the ransomware. 

The FBI discovered a flaw in the malware’s encryption process that could help effected organizations to remediate the attack without paying the ransom.

In the alert [PDF], the FBI says cybercriminals have been targeting with Mamba ransomware entities in the public and private sector, including local governments, legal services, technology services, transportation agencies, and industrial, commercial, manufacturing, and construction businesses.

Mamba ransomware (a.k.a. HDDCryptor) uses an open-source software solution DiskCryptor to encrypt the victim’s computer with a key known only to the attacker.

Mamba ransomware overwrites the disk’s master boot record (MBR), which prevents access to encrypted files on the drive and makes it difficult to track the attacks because automated services like ID-Ransomware cannot analyze the files.

The FBI explains that installing DiskCryptor requires a system restart to add necessary drivers. And one more restart happens once the encryption process completes, around two hours later. After this, the computer is encrypted and the ransom note is shown to the victim.

There is no protection around the encryption key, it is saved in plaintext. The FBI advises using this two-hour gap as an opportunity to try to remove Mamba ransomware.

“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” said the FBI.

The FBI provides the following artifacts that organizations can look for on their computers in the two-hour gap to detect and remove Mamba ransomware:

Key Artifacts
$dcsys$Located in the root of every encrypted drive [i.e.C:\$dcsys$]
C:\Users\Public\myLog.txtRansomware log file
C:\Users\Public\myConf.txtRansomware configuration file
C:\Users\Public\dcapi.dllDiskCryptor software executable
C:\Users\Public\dcinst.exeDiskCryptor software executable
C:\Users\Public\dccon.exeDiskCryptor software executable
C:\Users\Public\dcrypt.sys DiskCryptor software executable
C:\Windows\System32\Drivers\dcrypt.sysInstalled DiskCryptor driver
[Ransomware Filename].exePortable 32-bit .NET assembly compatible with 32-bitand 64-bit Windows systems which combinesDiskCryptor with a simple ransom message upon boo
dcinst.exeCryptor installer support
dccon.exeConsole version od DiskCryptor

In addition, attackers may use myCryptoraphyService which runs [Ransomware Filename].exe as a service and is removed once encryption is completed, the FBI said.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.