Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive. The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.
Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.
“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”
The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.
The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.
Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives. Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.
Researchers quickly analyzed Petya’s inner workings and by understanding its behavior, were able to build a decryptor shortly after the first infections were disclosed.
More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.
Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.