Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

Also referred to as HDDCryptor and HDD Cryptor, the ransomware has been around for roughly half a decade, and has been abusing DiskCryptor for nearly as long.

An open source tool, DiskCryptor was designed to provide users with the option to encrypt all disk drives, including the system partition. Claiming to provide a better alternative to Microsoft’s BitLocker, the application was released with the purpose of helping users keep their data secure.

The Mamba ransomware, however, is abusing the open source application for malicious purposes, and has been doing so in a multitude of attacks.

[ ALSO READ: Sierra Wireless Says Ransomware Disrupted ]

Some of these incidents, the FBI warns, targeted local governments, legal and technology services, public transportation agencies, and industrial, commercial, manufacturing, and construction entities.

“Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software—to restrict victim access by encrypting an entire drive, including the operating system,” the FBI notes, adding that DiskCryptor is not a malicious application by nature.

“The ransomware program consists of the open source, off-the-shelf, disk encryption software DiskCryptor wrapped in a program which installs and starts disk encryption in the background using a key of the attacker’s choosing,” the FBI explains.

Upon the installation of DiskCryptor, the system is restarted. After the encryption process has been completed, the system is restarted a second time, and a ransom note is displayed to the user.

The ransom note includes information such as host system name, the threat actor’s email address, the ransomware file name, and indications on where to enter the decryption key. Furthermore, victims are told to contact the attackers by email to receive information on how they can pay a ransom to receive the decryption key.

The FBI notes that the ransomware saves the encryption key, along with the shutdown time variable, to a configuration file named myConf.txt. The file is accessible and readable until the second system restart, which concludes the encryption process.

“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the FBI reveals.

To stay protected from Mamba and other ransomware families out there, users are advised to always keep their data backed up, to avoid clicking on links or opening documents received via email, to keep all applications updated, including an antivirus program, and to apply all of the usual proactive measures to prevent malware infection.

“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the FBI notes.

Related: After IT Outage, Kia and Hyundai Say No Evidence of Ransomware Attack

Related: U.S. Agencies Publish Ransomware Factsheet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.