FBI Alert Number: CU-000143-MW

“Mamba” is a modified Ransomware that weaponizes DiskCryptor (an open-source full disk encryption system for Microsoft Windows).

Once Mamba enters into the system it installs the DiskCryptor encryption service and restarts the system to complete the installation of drivers. Mamba proceeds to encrypt the entire hard disk on an affected computer instead of just files. Once completed, it reboots the system to display a ransom note that includes the cybercriminal’s contact email id and Your ID and a place to enter the decryption key (below).

“Your Data Encrypted, Contact For Key (mcrypt2XX7@yandex.com OR citrix2XX4@protonmail.com) Your ID: 876 ,Enter Key:_”

The ransom note at the boot screen demands ransom to decrypt the Disk.

Based on our analysis and prior variations, we suspect that the threat vector used for proliferation is either an exploit kit on a compromised or malicious site, or (through) malicious attachments sent via spam emails.

 

Detection available in Thirtyseven4:

Ransom.DCryptor.S19498972
Ransom.HDDCrypt

Thirtyseven4 Endpoint Security multilayer protection approach:

Thirtyseven4 Endpoint Security comes equipped with multiple layers of protection to proactively combat all the latest and emerging Threats and Malware, including Mamba.  The Thirtyseven4 multi-layer approach is handled by various Thirtyseven4 modules including: Realtime-Protection, Behavior Detection System (BDS), File based detections, Cloud based detection, URL-cat/Web Protection, Email Protection, Anti-Ransomware. The combined layered protection allows Thirtyseven4 to protect against known and unknown threats/malware. For the unknown threats, Thirtyseven4 relies on our behavior-based BDS and Anti-ransomware modules that provide heuristic detection for common tools, techniques and tactics used by adversaries to carry out malicious intent – like ransomware encryption of multiple files at once. This module proactively assists in detecting known/unknown malware in real-time.

 

Below are few guidelines to help minimize a potential threat to your network:

Email:

  • Enable Multi-Factor authentication to ensure all logins are legitimate.
  • Set password expiration & account lockout policies (in case the wrong password is entered)
  • Don’t open attachments and links in an email sent by an unknown, unexpected or unwanted source.

Delete suspicious looking emails you receive from unknown sources, especially if they contain links or attachments. Cybercriminals use ‘Social Engineering’ techniques to trick users into opening attachments or clicking on links that lead to infected websites.

  • Always turn on email protection of your antivirus software.

 

Secure Browsing 

  • Always update your browser
  • Try to avoid downloading pirated/cracked media or software from sites like torrents.
  • Block ad pop-ups in the browser.
  • Always verify whether you are accessing the genuine site by checking the address bar of the browser. Phishing sites often show content resembling a genuine one.
  • Bookmark important sites to avoid being a victim of phishing
  • Do not share your personal details like name, contact number, email id, social networking site credentials for any unknown website.
  • Do not install extensions in browsers which you are not fully aware of. Be aware of impersonating web-pages and do not “allow” any prompt on an unknown web page that you are visiting. Avoid visiting crack software download websites.

 

Take regular data backup

  • Back up your important data regularly and keep a recent backup copy offline. Encrypt your backup
  • Always use a combination of online and offline backup
  • If your computer gets infected with ransomware, your files can be restored from the offline backup, once the malware has been removed.
  • Do not keep offline backups connected to your system as this data could be encrypted when ransomware strikes.

 

Users & privileges

  • Regularly audit “Local / Domain Users” and remove/disable unwanted users.
  • Set a strong password to user/email etc. accounts (Strong password includes letters in UPPER CASE, lower case, numbers & special characters. However, a bad example would be common passwords like P@ssw0rd, Admin@123#, etc.)
  • Set password expiration & account lockout policies (in case the wrong password is entered)
  • Don’t assign Administrator privileges to users
  • If possible enable Multi-Factor authentication to ensure all logins are legitimate
  • Don’t stay logged in as an administrator, unless strictly necessary
  • Avoid browsing, opening documents or other regular work activities while logged in as an administrator.

 

Keep software updated

  • Keep your Operating System and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities which could be exploited by attackers. Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Flash, and Internet Browsers like Internet Explorer, Chrome, Firefox, Opera, etc., including Browser Plugins.
  • Always keep your Security software (antivirus, firewall, etc.) up-to-date to protect your computer from new variants of malware.
  • Do not download cracked/pirated software, as they risk backdoor entry for malware into your computer.
  • Avoid downloading software from untrusted P2P or torrent sites. In most cases, they harbor malicious software.

 

Network and Shared folders

  • Keep strong and unique passwords for login accounts and network shares.
  • Disable unnecessary, admin share. i.e. admin$. Give access permission to shared data as per requirement.
  • Audit RDP access & disable it if not required or else, set appropriate rules to allow only specific & intended systems
  • Change RDP port to a non-standard port.
  • Configure firewall in the following way,

o Deny access to all to important ports (in this case RDP port 3389)

o Allow access to only IP’s which are under your control.

  • Use a VPN to access the network, instead of exposing RDP to the Internet.
  • Possibly implement Two Factor Authentication (2FA).
  • Set lockout policy which hinders guessing of credentials.
  • Create a separate network folder for each user when managing access to shared network folders.
  • Don’t keep shared software in executable form

Evaluation licenses of Thirtyseven4 Antivirus are available at: https://www.thirtyseven4.com/free-trial/. For more information contact Thirtyseven4 at 877-374-7581.

About Thirtyseven4:

Born out of a desire to better connect antivirus protection solutions with premium customer support and service, Thirtyseven4, LLC seeks to protect schools, businesses, governmental agencies and home‐users with the best antivirus products available. Thirtyseven4 is an American company built on honesty, trust and value for the customer. http://www.thirtyseven4.com.

 

 

 

Thirtyseven4, LLC is dedicated to serving customers with a full palette of security solutions including AntiVirus, AntiMalware, Anti-Ransomware and Zero-Day Threat Protection.