{"id":6186,"date":"2021-03-31T16:05:42","date_gmt":"2021-03-31T23:05:42","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6186"},"modified":"2024-04-26T13:20:48","modified_gmt":"2024-04-26T20:20:48","slug":"mamba-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/","title":{"rendered":"Mamba Ransomware Campaign"},"content":{"rendered":"<h3><strong>Author: Yadu Nadh<\/strong><\/h3>\n<h3><strong>TLP: WHITE<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>Overview<\/h3>\n<p>On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software.<sup>1<\/sup><\/p>\n<p>Threat actors previously used Mamba to infect victims in Brazil and Saudi Arabia, as well as attack the San Francisco Municipal Transportation Agency (SFMTA) in November 2016.<sup>2<\/sup><\/p>\n<h3>Customer Impact<\/h3>\n<p>The cybersecurity community first discovered Mamba ransomware in 2016.<sup>3<\/sup> It has been deployed against:<\/p>\n<ul>\n<li>local government,<\/li>\n<li>public transportation agencies,<\/li>\n<li>legal services,<\/li>\n<li>technology services,<\/li>\n<li>industrial,<\/li>\n<li>commercial,<\/li>\n<li>manufacturing, and<\/li>\n<li>construction businesses.<\/li>\n<\/ul>\n<p>The threat actors behind Mamba encrypt the victim\u2019s drive and operating system with a weaponized version of DiskCryptor. The ransomware\u2019s capabilities include privilege escalation via exploit.<\/p>\n<h3>Campaign Analysis<\/h3>\n<p>Threat actors distribute Mamba via malspam and can compromise the victim\u2019s network via Remote Desktop Protocol (RDP).<\/p>\n<p>Once the malware encrypts the victim\u2019s system, it displays a ransom note with the actor\u2019s email address, ransomware file name, the host system name, and a place to enter the decryption key. The ransom note instructs the victim to contact the actor\u2019s email address to pay the ransom in exchange for the decryption key. The threat actor adjusts the payment based on the scale of the infection and demands it to be made via Bitcoin.<sup>4<\/sup><\/p>\n<h3>Attack Chain<\/h3>\n<p>Mamba uses a PsExec<sup>5<\/sup> command to launch itself into remote systems running in the network and encrypt the compromised systems. <\/p>\n<p>Along with DiskCryptor, Mamba uses a program that installs and starts disk encryption in the background using an encryption key chosen by the attacker. The attacker passes this key via the command-line parameter: <em>[Ransomware Filename].exe <password><\/em>.<\/p>\n<p>The ransomware works in two stages. The first stage, also known as the preparation stage:<\/p>\n<ul>\n<li>Creates the folder C:\\Users\\Public\\,<\/li>\n<li>Drops DiskCryptor components into the folder,<\/li>\n<li>Installs the DiskCryptor driver,<\/li>\n<li>Registers a system service called myCryptographyService, and<\/li>\n<li>Reboots the victim machine.<\/li>\n<\/ul>\n<p>The second stage, or encryption stage:<\/p>\n<ul>\n<li>Sets up a bootloader to the master boot record (MBR).<\/li>\n<li>Encrypts disk partitions using DiskCryptor oftware, and<\/li>\n<li>Reboots the victim machine.<\/li>\n<\/ul>\n<p>The encryption key and the shutdown time variable are saved to the configuration file (<em>myConf.txt<\/em>). This file is readable until the second restart, which occurs approximately two hours later and concludes the encryption, as well as displays the ransom note.<\/p>\n<p>If any of the DiskCryptor files are detected, attempts should be made to determine whether the <em>myConf.txt<\/em> is still accessible. If so, then the password can be recovered without paying the ransom. This opportunity, however, is limited to the point in which the system reboots for the second time.<\/p>\n<h3>Vulnerabilities &#038; Mitigation<\/h3>\n<p>Organizations can reduce the risk and impact of Mamba ransomware<sup>6<\/sup> with these practices:<\/p>\n<ul>\n<li>Implement network segmentation.<\/li>\n<li>Require administrator credentials to install software.<\/li>\n<li>If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization\u2019s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented.<\/li>\n<li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).<\/li>\n<li>Use multifactor authentication where possible. <\/li>\n<li>Disable unused remote access\/RDP ports and monitor remote access\/RDP logs.<\/li>\n<li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Install and regularly update anti-virus and anti-malware software on all hosts.<\/li>\n<li>Disable hyperlinks in incoming emails<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-114.jpg\" alt=\"\" width=\"589\" height=\"706\" class=\"aligncenter size-full wp-image-6578\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-114.jpg 589w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-114-250x300.jpg 250w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/p>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/www.ic3.gov\/Media\/News\/2021\/210323.pdf\">https:\/\/www.ic3.gov\/Media\/News\/2021\/210323.pdf<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/disk-locking-hddcryptor-mamba-ransomware-makes-a-comeback\">https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/disk-locking-hddcryptor-mamba-ransomware-makes-a-comeback<\/a><\/li>\n<li><a href=\"https:\/\/securityaffairs.co\/wordpress\/51314\/malware\/mamba-ransomware.html\">https:\/\/securityaffairs.co\/wordpress\/51314\/malware\/mamba-ransomware.html<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2017\/08\/locky-mamba-ransomware.html\">https:\/\/thehackernews.com\/2017\/08\/locky-mamba-ransomware.html<\/a><\/li>\n<li><a href=\"https:\/\/www.mindpointgroup.com\/blog\/lateral-movement-with-psexec\/\">https:\/\/www.mindpointgroup.com\/blog\/lateral-movement-with-psexec\/<\/a><\/li>\n<li><a href=\"https:\/\/securelist.com\/the-return-of-mamba-ransomware\/79403\/\">https:\/\/securelist.com\/the-return-of-mamba-ransomware\/79403\/<\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Yadu Nadh TLP: WHITE &nbsp; Overview On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software.1 Threat actors previously used Mamba to infect victims in Brazil and Saudi Arabia, as well [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6719,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[236,467,468,288],"class_list":{"0":"post-6186","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-cyberthreat","9":"tag-hddcryptor","10":"tag-mamba","11":"tag-ransomware","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Mamba Ransomware Campaign<\/title>\n<meta name=\"description\" content=\"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mamba Ransomware Campaign\" \/>\n<meta property=\"og:description\" content=\"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-31T23:05:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Mamba Ransomware Campaign\",\"datePublished\":\"2021-03-31T23:05:42+00:00\",\"dateModified\":\"2024-04-26T20:20:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/\"},\"wordCount\":626,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-07.jpg\",\"keywords\":[\"Cyberthreat\",\"HDDCryptor\",\"Mamba\",\"Ransomware\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/\",\"name\":\"Mamba Ransomware Campaign\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-07.jpg\",\"datePublished\":\"2021-03-31T23:05:42+00:00\",\"dateModified\":\"2024-04-26T20:20:48+00:00\",\"description\":\"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-07.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-07.jpg\",\"width\":612,\"height\":408,\"caption\":\"Criminal hiding behind a mask turns up on computer screen asking the owner for money. Concept of phishing and ransomware, where the computer has all files on the harddrive encrypted and the victims need to pay a ransom in order to get their files unlocked.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/mamba-ransomware-campaign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Mamba Ransomware Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Mamba Ransomware Campaign","description":"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Mamba Ransomware Campaign","og_description":"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/","og_site_name":"Infoblox Blog","article_published_time":"2021-03-31T23:05:42+00:00","article_modified_time":"2024-04-26T20:20:48+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Mamba Ransomware Campaign","datePublished":"2021-03-31T23:05:42+00:00","dateModified":"2024-04-26T20:20:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/"},"wordCount":626,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg","keywords":["Cyberthreat","HDDCryptor","Mamba","Ransomware"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/","name":"Mamba Ransomware Campaign","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg","datePublished":"2021-03-31T23:05:42+00:00","dateModified":"2024-04-26T20:20:48+00:00","description":"Mamba Ransomware Campaign. On 23 March, the Federal Bureau of Investigation reported on a variant of the disk-encrypting ransomware HDDCryptor, also known as Mamba. Specifically, it weaponizes DiskCryptor, a legitimate and open source full-disk encryption software","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-07.jpg","width":612,"height":408,"caption":"Criminal hiding behind a mask turns up on computer screen asking the owner for money. Concept of phishing and ransomware, where the computer has all files on the harddrive encrypted and the victims need to pay a ransom in order to get their files unlocked."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/mamba-ransomware-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Mamba Ransomware Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6186"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6186\/revisions"}],"predecessor-version":[{"id":6579,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6186\/revisions\/6579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6719"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}