London, UK – August 10, 2017 – Mamba Ransomware appeared in 2016 and was one of the first viruses that encrypt not files, but whole hard drives. It uses a legitimate tool DiskCryptor for full disk encryption. Researchers from Kaspersky Lab report that creators of this Ransomware resumed attacks on corporations in August. Currently, this virus was found in Saudi Arabia and Brazil, the last notable attack with its use was against the municipal transport agency of San Francisco in November 2016. Adversaries gain access to the network of the attacked company and use psexec utility to run the Ransomware. The dropper contains the DiskCryptor modules; it installs them and registers DefragmentService system service. Then it reboots victim’s computer and encrypts disk partitions. DiskCryptor uses strong encryption algorithms, so at the moment, only hackers can decrypt files.
To detect Ransomware before adversaries manage to encrypt your data, you can use Ransomware Hunter use case from the S.M.A. Cloud. It notifies about potentially infected hosts and displays the most vulnerable hosts. It can also block possible communications with known Ransomware servers to protect the organization from infamous threats.