The ransomware that wreaked havoc on San Francisco’s Muni mass transit system last Thanksgiving has resurfaced and is infecting enterprises in several countries around the world.
The Mamba ransomware used in these attacks isn’t one of the big-name variants like Cryptolocker or Petya, but it has the potential to cause serious problems. Last November the malware infected the Muni system’s network over the Thanksgiving weekend and caused major train delays and forcing officials to turn off ticket machines and fare gates at some stations. The ransomware wasn’t identified at the time, but researchers at Kaspersky Lab said it was Mamba and found that the malware has been showing up in corporate networks in Brazil and Saudi Arabia in the last month or so.
Interestingly, Mamba is using a legitimate Windows disk encryption utility called DiskCryptor to lock up victims’ files. It’s not entirely clear how Mamba initially finds its way into a network, but many ransomware variants use either exploit kits sitting on compromised or malicious sites or infected attachments sent via email. Once the ransomware is on a new machine, it goes to work in two separate stages.
“As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper,” Anton Ivanov and Orkhan Mamedov of Kaspersky Lab wrote in an analysis of the ransomware.
Once DiskCryptor is installed, the victim’s machine is rebooted and then the ransomware encrypts the target files. The machine reboots again and the victim is shown the ransom message. Victims have to contact the attackers in order to find out the ransom amount.
Ransomware has become one of the larger threats to both consumers and enterprises, with the last few months having seen several widespread outbreaks. The WannaCry ransomware swept through Europe in May and June, using exploits for vulnerabilities discovered by the NSA and later leaked by the Shadow Brokers. The NotPetya variant followed suit in late June, with the added pain of wiping master boot records on infected machines.