The Federal Bureau of Investigation (FBI) in conjunction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a TLS:White alert about Mamba ransomware following an increase in attacks on multiple industry sectors.
Over the past few months, the ransomware gang has targeted government agencies and companies operating in the transportation, legal, construction, industrial, manufacturing, and construction industries. Multiple methods are used to gain access to networks to deliver the ransomware payload, including exploiting unsecured remote access solutions and vulnerabilities in Remote Desktop Protocol.
Mamba ransomware weaponizes the legitimate file encryption program DiskCryptor to encrypt entire drives, including files and the operating system. Because DiskCryptor is a legitimate file encryption solution, security solutions may not detect the files as malicious.
The ransomware installs DiskCryptor, reboots the system after around 2 minutes to complete the installation, and then launches DiskCryptor to start the encryption routine. Once that process has been completed, the system will be restarted for a second time and a ransom note will be displayed on the encrypted device. The ransom note lists the victim’s ID, the Hostname, which is different for each system, and the email address that can be used to contact the attackers. There is also a field to enter the decryption key, which will be provided only if the ransom is paid.
There are multiple stages to this attack and a short window of opportunity to stop an attack in progress. During the encryption process, the encryption key and the shutdown time variable are saved to the myConfig.txt configuration file. The myConfig.txt can be accessed up until the second reboot, which occurs around 2 hours into the attack. If any of the DiskCryptor files are detected on a system prior to the second reboot, the decryption key can be obtained and the victim will not have to pay the ransom to recover their files. After the second reboot the ransom will need to be paid unless it is possible to restore the system from a backup.
Attacks can be thwarted by blacklisting the DiskCryptor key artifact files, which should be sufficient to prevent the files from installing and running the encryption routine. This will naturally not be an option for any organization or company that uses DiskCryptor for file encryption.
Other mitigations that will make it harder for an attack succeed and limit the harm caused include:
- Segmenting networks.
- Implementing multifactor authentication.
- Promptly updating/patching software, firmware, and operating systems.
- Regularly changing passwords, avoiding password reuse for multiple accounts, and setting strong passwords.
- Blocking unused RDP/remote access ports.
- Installing antivirus/antimalware software on all devices and ensuring it is set to update automatically.
- Only using secure networks and using a VPN for access.
- Auditing user accounts with admin privileges.
- Applying the principle of least privilege.
- Preventing software from being installed using non-administrator accounts.
Organizations should also ensure they regularly backup all critical data and store those backups in a location that cannot be accessed from the system where the data resides, preferably on an air-gapped device. In the event of an attack, it will then be possible to restore all systems and data without paying the ransom.