Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

Also referred to as HDDCryptor and HDD Cryptor, the ransomware has been around for roughly half a decade, and has been abusing DiskCryptor for nearly as long.

An open source tool, DiskCryptor was designed to provide users with the option to encrypt all disk drives, including the system partition. Claiming to provide a better alternative to Microsoft’s BitLocker, the application was released with the purpose of helping users keep their data secure.

The Mamba ransomware, however, is abusing the open source application for malicious purposes, and has been doing so in a multitude of attacks.

[ ALSO READ: Sierra Wireless Says Ransomware Disrupted ]

Some of these incidents, the FBI warns, targeted local governments, legal and technology services, public transportation agencies, and industrial, commercial, manufacturing, and construction entities.

“Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software—to restrict victim access by encrypting an entire drive, including the operating system,” the FBI notes, adding that DiskCryptor is not a malicious application by nature.

“The ransomware program consists of the open source, off-the-shelf, disk encryption software DiskCryptor wrapped in a program which installs and starts disk encryption in the background using a key of the attacker’s choosing,” the FBI explains.

Upon the installation of DiskCryptor, the system is restarted. After the encryption process has been completed, the system is restarted a second time, and a ransom note is displayed to the user.

The ransom note includes information such as host system name, the threat actor’s email address, the ransomware file name, and indications on where to enter the decryption key. Furthermore, victims are told to contact the attackers by email to receive information on how they can pay a ransom to receive the decryption key.

The FBI notes that the ransomware saves the encryption key, along with the shutdown time variable, to a configuration file named myConf.txt. The file is accessible and readable until the second system restart, which concludes the encryption process.

“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the FBI reveals.

To stay protected from Mamba and other ransomware families out there, users are advised to always keep their data backed up, to avoid clicking on links or opening documents received via email, to keep all applications updated, including an antivirus program, and to apply all of the usual proactive measures to prevent malware infection.

“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the FBI notes.

Related: After IT Outage, Kia and Hyundai Say No Evidence of Ransomware Attack

Related: U.S. Agencies Publish Ransomware Factsheet