Connect with us

Hi, what are you looking for?


Data Protection

Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

Also referred to as HDDCryptor and HDD Cryptor, the ransomware has been around for roughly half a decade, and has been abusing DiskCryptor for nearly as long.

An open source tool, DiskCryptor was designed to provide users with the option to encrypt all disk drives, including the system partition. Claiming to provide a better alternative to Microsoft’s BitLocker, the application was released with the purpose of helping users keep their data secure.

The Mamba ransomware, however, is abusing the open source application for malicious purposes, and has been doing so in a multitude of attacks.

[ ALSO READ: Sierra Wireless Says Ransomware Disrupted ]

Some of these incidents, the FBI warns, targeted local governments, legal and technology services, public transportation agencies, and industrial, commercial, manufacturing, and construction entities.

“Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software—to restrict victim access by encrypting an entire drive, including the operating system,” the FBI notes, adding that DiskCryptor is not a malicious application by nature.

Advertisement. Scroll to continue reading.

“The ransomware program consists of the open source, off-the-shelf, disk encryption software DiskCryptor wrapped in a program which installs and starts disk encryption in the background using a key of the attacker’s choosing,” the FBI explains.

Upon the installation of DiskCryptor, the system is restarted. After the encryption process has been completed, the system is restarted a second time, and a ransom note is displayed to the user.

The ransom note includes information such as host system name, the threat actor’s email address, the ransomware file name, and indications on where to enter the decryption key. Furthermore, victims are told to contact the attackers by email to receive information on how they can pay a ransom to receive the decryption key.

The FBI notes that the ransomware saves the encryption key, along with the shutdown time variable, to a configuration file named myConf.txt. The file is accessible and readable until the second system restart, which concludes the encryption process.

“If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity is limited to the point in which the system reboots for the second time,” the FBI reveals.

To stay protected from Mamba and other ransomware families out there, users are advised to always keep their data backed up, to avoid clicking on links or opening documents received via email, to keep all applications updated, including an antivirus program, and to apply all of the usual proactive measures to prevent malware infection.

“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the FBI notes.

Related: After IT Outage, Kia and Hyundai Say No Evidence of Ransomware Attack

Related: U.S. Agencies Publish Ransomware Factsheet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...