Destructive, disk-encrypting Mamba ransomware springs back to life

The Mamba family of ransomware has suddenly returned -- and it's encrypting the entire hard drives of targeted organisations again.
Written by Danny Palmer, Senior Writer

Mamba - a breed of snake and a family of ransomware.

Image: iStock

A powerful form of ransomware, which encrypts whole hard drives instead of just files, has suddenly returned -- and there's no way for victims to decrypt the data.

Similar tactics have been used in other ransomware attacks, most notably Petya, which experts said was designed to outright destroy data rather than generate ransom money.

The return of Mamba ransomware has been flagged by Kaspersky Lab. Its return comes after researchers recently suggested that ransomware designed for destruction, rather than extorting a Bitcoin ransom for profit, is set to become the new normal.

While Mamba isn't a particularly common form of ransomware, it claimed a high-profile victim in the form of the San Francisco Municipal Transportation Agency in November last year. The attack forced the operators to temporarily open the gates of ticket barriers and allow passengers to travel on the trains for free in order to minimise disruption.

The effectiveness of the ransomware stems partially from its use of a legitimate open source software tool, DiskCryptor, to fully lock down the hard drive of targeted organisations. Mamba first appeared in September 2016 and mainly targets corporates and other large organisations.

Unlike other forms of ransomware which usually have a set ransom , the attackers behind Mamba alter their demand depending on the number of systems infected.

"For every victim this group is demanding different amounts of bitcoins. This depends on how many endpoints and server were affected," Anton Ivanov, Senior Malware Analyst at Kaspersky Lab told ZDNet.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Corporations remain the target for those behind Mamba, although this time, researchers note that the ransomware is mainly being directed against targets in Brazil and Saudi Arabia.

There's currently no tool available to decrypt data locked by Mamba because, as researchers note, it uses such strong encryption algorithms.

It's unknown who is behind the Mamba attacks, but the tactics used suggest it's the work of either a highly-organised cybercriminal operation or the work of nation-state backed hackers.


Editorial standards