Sunday, Sep 27, 2020 | Last Update : 06:49 AM IST

186th Day Of Lockdown

Maharashtra130045899280634761 Andhra Pradesh6614585881695606 Tamil Nadu5693705138369148 Karnataka5572124503028417 Uttar Pradesh3785333136865450 Delhi2644502284365147 West Bengal2410592110204665 Odisha201059165432820 Telangana1838661524411091 Bihar175898161510881 Assam167374136712625 Kerala160935111327636 Gujarat1303911105923394 Rajasthan1247301042881412 Haryana1205781012731273 Madhya Pradesh117588932382152 Punjab107096840253134 Chhatisgarh9856566860777 Jharkhand7770964515661 Jammu and Kashmir69832495571105 Uttarakhand4533233642555 Goa3107125071386 Puducherry2548919781494 Tripura2412717464262 Himachal Pradesh136799526152 Chandigarh112128677145 Manipur9791760263 Arunachal Pradesh8649623014 Nagaland5768469311 Meghalaya5158334343 Sikkim2707199431 Mizoram178612880
  Technology   In Other news  12 Aug 2017  The Mamba ransomware that hit SF’s municipal railway system is back

The Mamba ransomware that hit SF’s municipal railway system is back

DECCAN CHRONICLE
Published : Aug 12, 2017, 10:18 am IST
Updated : Aug 12, 2017, 10:18 am IST

Researchers have discovered that the group behind Mamba has resumed its attacks – targeting corporations, mainly in Brazil and Saudi Arabia.

As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.
 As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.

In late November 2016, a huge attack took place against San Francisco’s municipal railway. Perpetrated with ransomware called Mamba, the attack apparently took out more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA).

Kaspersky Lab researchers have discovered that the group behind Mamba has resumed its attacks – targeting corporations, so far mainly in Brazil and Saudi Arabia.

 

 As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.

In a nutshell, the malicious activity can be separated into two stages:

Stage 1 (Preparation)

As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.

 

Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:xampphttp” folder.

After that, it launches the dropped DiskCryptor installer. When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters. The last step of Stage 1 is to reboot the system.

Stage 2 (Encryption)

Using the DiskCryptor software, the malware sets up a new bootloader to MBR.

The bootloader contains the ransom message for the victim. After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper. When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen. Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.

 

Decryption

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.

Businesses concerned about their potential vulnerability to this threat are advised to:

  • Always install critical software patches released by developers and use the latest software versions.
  • Do not run or open attachments from untrusted sources.
  • Backup sensitive data to external storage and keep it offline.
  • Non-Kaspersky Lab customers can download the free Kaspersky Anti-Ransomware Tool for business (KART).
  • If a Kaspersky Lab solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on.

 

Tags: cybercrime, hacking, mamba, ransomware