As if encrypting your individual files was not enough, a recently discovered ransomware virus called Mamba encrypts your entire hard drive.
This may sound similar to the Peyta drive encryption ransomware that made headlines earlier this year. But Mamba is a different animal. It differs from Peyta in that it encrypts the entire hard drive while Peyta encrypts only the Master File Table (MFT), the information store that tracks which files are on the drive and where they are located. With Peyta, forensics can recover the data from the drive since the data itself is not impacted. There is also a password generator tool for Peyta that can be used to decrypt the MFT. There is currently no easy fix for the sneaky snake known as Mamba.
Mamba starts by overwriting the Master Boot Record (MBR), the program that tells your computer where to find the files to start your operating system. Mamba’s custom MBR tells the computer to load a ransom demand instead of the operating system when the machine restarts. The ransom demand reads as follows:
You are Hacked! H.D.D. Encrypted, Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 987654
Mamba encrypts the hard drive as well as other mounted drives such as USB flash drives using an AES-256 compatible open source full-disk encryption program called DiskCryptor. Mamba is primarily distributed through phishing emails, but that could change as Mamba distribution grows. The ransomware currently targets only Microsoft Windows machines of any variety including Windows XP, Windows 7 and Windows 10.
What to do if you’re attacked with Mamba
If your computer is infected with Mamba, your first recovery step is to restore from backup. Mamba encrypts the entire drive so victims will be unable to access the files or operating system without the decryption key. This means that the operating system and all files will need to be restored from backup.
With most ransomware, you have the option of restoring just the files or folders that were encrypted, or the entire machine. The recommended approach is to restore the whole computer, but some cases require the that the device be put back into service as quickly as possible, so a file restore is performed. There is no such choice with Mamba.
There are two options when restoring the system, based on what data is available to restore. Victims with a full system backup can restore the entire system backup to the machine in a single operation. If a full system backup is not available, victims will need to install the operating system and programs and then restore the data. The second option takes more time to perform, and it requires that the user knows which applications were installed on the system, but it will bring the system to a fully functional state with applications and data in the end.
Take the time now to ensure that you have adequate backups so that you can restore your system in case you encounter full-disk encryption ransomware like Mamba. Consider which restore strategy would be ideal for your company, and how much time your employees can go without access to their computers or data. Then craft a backup strategy that meets your recovery expectations.
For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.
About Eric Vanderburg
Eric Vanderburg is an information security executive, thought leader and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” since he and his cybersecurity team at JurInnov protect companies from cyber threats, investigate data breaches, and provide guidance on safe computing.