MAMBA or HDDCryptor Back in India. Confirmed!

Prevention from ransomware has a split prevention mechanism

Mamba is the nastiest of all ransomware because it encrypts the entire hard drive and not just the files. It hit India back in 2016, and is back in India with a bang!

Kaspersky Labs, Trend Micro and other security researchers confirmed the rise of Mamba and Locky, where the havoc was being caused in Brazil and Saudi Arabia earlier in August 2017, but it is now confirmed that both these ransomware are hitting Indian organisations and users in August 2017.

Background and ramifications
In July 2016, when Mamba hit India, the value of Bitcoin was ~$650. Bitcoin now costs a mind boggling ~$4,000. With BitCoin shooting past the $4k mark, Indians will now have to shell out over ~INR 2,50,000 per BTC if they get infected.

Ankush Johar, director at, a leading provider of human information security awareness and preparedness solutions, said: "Prevention is better than cure. Backup, Backup, Backup!  Even if the Ransomware affects you, the backup will protect your digital assets. After taking backups regularly, take them offline, where possible."

“Phishing is at the heart of these ransomware attacks. This is easiest and the most common point of entry. Humans are the weakest link in cyber security and malicious actors know this all too well. If an organisation wants to safeguard its digital assets, create a discipline around Backups, and taking them offline for storage.”

What are Mamba and Locky ransomware?
Mamba (or HDDCRyptor) is a powerful kind of ransomware (a malware that locks users' files and demands a ransom to release the files) that encrypts the entire disk instead of just encrypting files. It scrambles every sector on the hard drive, including the Master File Table (The place where information about every file and directory on a hard drive is stored), the operating system, shared files and the personal data.

The malware installs and activates a copy of the open source software DiskCryptor. DiskCryptor is a Full Disk Encryption (FDE) tool. Once DiskCryptor encrypts a disk, it asks for a password every time a machine reboots. This password is then used to encrypt everything a user may write on the HDD and decrypt anything that a user wants to read.

Mamba uses DiskCryptor and crypts the HDD and the user has no idea about the password. Hence, he/she has no other option than to pay the ransom, else they will lose their data. So, every time a user boots up his/her machine, they get a message informing them about the encryption and asks them to purchase the decryption key.

Locky, on the other hand, has been one of the largest distributed ransomware. It works by tricking victims into downloading an attachment. The attachment composes of scrambled, unreadable text with a title asking a user to enable macros (for Microsoft Word). When the victim does so, Locky gets executed and renames all the important files so that they have the extension .locky after encryption.

Users can use their PC/laptop for the Internet and other general stuff, but all their important files are rendered inaccessible. Locky demands a ransom amount of .25 BTC to 1 BTC whereas, Mamba doesn't have a fixed ransom.

How do Mamba and Locky spread?
Locky is spreading via spam email campaigns. The malware is included in malicious documents (Word, Excel, etc.) attached to the emails that include macros with obfuscated Visual Basic Script (VBS).

Mamba ransomware mostly targets big organizations and governmental bodies. Unlike other forms of ransomware which usually have a set ransom, the attackers behind Mamba alter their demand depending on the number of systems infected. Mamba has seen to be spreading as an "exe" file with a numeric name like 141.exe. This file generally is delivered via hacked websites a victim might visit or an already compromised network

Stay safe
According to Ankush Johar, prevention from ransomware has a split prevention mechanism.

Use the latest Operating System.
Make sure automatic updates are enabled and downloaded regularly.
Ensure Firewall is enabled to block all network based attacks.
Never Click/Download anything on Emails from untrusted sources. Make sure the email is from a trusted party, only then download the attachments.
Use a proper, regularly updated Antivirus.

Latest patches must instantly be deployed across the company.
All pirated / un-patched / outdated devices to be removed (read unplugged) from the network instantly.
Employees to be trained to detect and protect against Phishing and other such scams.
Antiviruses ensured to be in place and updated.


Around The World