Security experts have discovered that the notorious Mamba malware that hit the San Francisco Municipal Transportation Agency in November last year has reemerged in Saudi Arabia and Brazil. The malware uses a legitimate Windows disk encryption utility called DiskCryptor to ensnare victim's hard drives.
Late last year, Mamba infected roughly 900 computers used by the SFMTA with hackers demanding a ransom of 100 bitcoins ($337,000, £259,658). Following the cyberattack, San Francisco Municipal Railway (Muni) passengers were allowed to ride for free while it mitigated the threat, according to local reports.
Shortly after the attack, the email inbox used by the hacker responsible for it was reportedly hacked by a security researcher who uncovered a trove of emails that revealed clues about the perpetrator's location, identity and earlier nefarious activities.
Regarding the new slew of Mamba ransomware attacks spotted in Brazil and Saudi Arabia, researchers explain that the threat actors first gain access to a targeted organization's network and then use the PSEXEC utility to execute the malicious code.
Once the malware encrypts a Windows machine, it overwrites the existing Master Boot Record with a custom MBR and encrypts the targeted hard driver using DiskCryptor. After encrypting the files, the system is rebooted and a victim is met with a ransom note on the screen.
The ransom note does not immediately demand money. Instead, it claims that the victim's hard drive has been encrypted and provides two email addresses along with a unique ID number to recover the encryption key.
"It is important to mention that for each machine in a victim's network, the threat actor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper," Kaspersky Lab said.
"Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms."