Getty Images/iStockphoto

FBI: Mamba Ransomware Actors Weaponizing Freeware Encryption Tool

Hackers are leveraging Mamba ransomware to weaponize the legitimate, open source disk encryption software known as DiskCryptor, which blocks victims’ access to the network.

The threat actors behind Mamba ransomware are weaponizing DiskCryptor, an open source full disk encryption software. The malware encrypts the entire drive, including the operating system, to restrict victims’ access, according to an FBI TLP White Report for the private sector.

Mamba, or HDDCryptor, was first detected in the wild in mid-2016. In 2019, Trend Micro noted that the ransomware was known to use DiskCryptor to encrypt both the disk and network files, as well as to overwrite the Master Boot Record (MBR).

The actors modified a component of DiskCryptor, a commercially available, freeware software, to scramble disks and mounted SMB drives. The variant also overwrites the MBR with a modified bootloader to lock the victim machine’s hard drive.

Previous iterations of the variant were used in the 2016 cyberattack against the San Francisco Municipal Transport Agency.

In May 2020, Coveware data found Mamba hackers were increasingly leveraging the variant in their attacks.

“Mamba ransomware involves the combination of a boot-locker program and full disk encryption via commercial software,” researchers explained, at the time. “The bootloader screen is used as a ransom note. Decrypting the full disk encryption requires passwords that only the threat actor holds.” 

In its latest attacks, the FBI has observed Mamba ransomware deployed against local governments, public transportation agencies, legal firms, technology services, and a range of other infrastructure sectors.

While DiskCryptor is not inherently malicious, the hackers have weaponized the tool for nefarious activities. The ransomware wraps the legitimate tool in a program that installs and starts disk encryption in the background.

“The attacker passes the encryption key via the command-line parameter: [Ransomware Filename].exe,” according to the alert. “The ransomware extracts a set of files and installs an encryption service.” 

“The ransomware program restarts the system about 2 minutes after installation of DiskCryptor to complete driver installation,” it added. “The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later which concludes the encryption and displays the ransom note.”

The FBI notes that if a system administrator detects any of these DiskCryptor files, they should attempt to determine if they can still access the “myConf.txt” -- as the password may still be recovered without paying the ransom.

However, the agency warned the opportunity to thwart the attack in this way is limited once the system reboots for the second time.

After the hackers have encrypted the entire drive, the system will display the ransom note that includes contact information of the attackers, the host system and ransomware file name, and a place to input the decryption key.

The hackers instruct victims that they must contact their email address to pay the ransom, in order to receive the decryption key.

To mitigate these attacks, the FBI recommends that system administrators routinely back up data in an air-gap environment that is password protected and stored offline. It’s also imperative to ensure copies of data are unable to be accessible for modification or deletion from the same system where the data resides.

Administrator passwords should also be required to install any software, and multi-factor authentication should be implemented wherever possible on the network. Reports have shown MFA blocks 99.9 percent of all automated attacks.

Security leaders should regularly change passwords for all network systems and accounts, while implementing a policy against password reuse and imposing the shortest acceptable timeframe for password changes.

“If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist,” the FBI recommends. “Any attempts to install or run this encryption program and its associated files should be prevented.”

This is the second FBI private sector alert in the last week. The agency previously warned of a spike in business email compromise attacks against federal government agencies to hinder operational capabilities. These attacks have strained the resources of victims.

Next Steps

Dig Deeper on Cybersecurity strategies