Mamba ransomware resurfaces in Saudi and Brazil

- Advertisement -

Mamba was among the first samples of ransomware that encrypted hard drives rather than files that were detected in public attacks, primarily against organizations in Brazil and in a high-profile incursion against the San Francisco Municipal Transportation Agency last November.

Researchers at Kaspersky Lab said today in a report that a new run of Mamba infections has been spotted again in Brazil and Saudi Arabia. The report suggests also that the group behind the latest Mamba attacks in Brazil and Saudi Arabia uses the PSEXEC utility to execute the malware on the corporate network once it has a foothold. PSEXEC was at the heart of the ExPetr malware attacks, which shared a number of similarities to the Petya attacks. ExPetr used PSEXEC and WMIC, another Windows utility, spread on local networks. Its goal was not profit, but destruction; analysts looking at the malware quickly the determined the ransomware functionality was faulty and victims would never be able to recover their files. The true purpose of those attacks was to wipe out the hard drive.

Mamba appeared in September 2016 when researchers at Morphus Labs said the malware was detected on machines belonging to a energy company in Brazil with subsidiaries in the United States and India. Once the malware infects a Windows machine it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using an open source full disk encryption utility called DiskCryptor.

Source Credit: Threat Post
Read full story:


- Advertisement -