The Mamba ransomware that hit San Francisco’s municipal railway system is back

In late November 2016, a huge attack took place against San Francisco's municipal railway. Perpetrated with ransomware called Mamba, the attack apparently took out more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA).

Kaspersky Lab researchers have discovered that the group behind Mamba has resumed its attacks – targeting corporations, so far mainly in Brazil and Saudi Arabia.

 As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper. There is currently no way to decrypt data that has been encrypted using DiskCryptor as the encryption algorithms are very strong.

In a nutshell, the malicious activity can be separated into two stages:

Stage 1 (Preparation)
As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.
Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.
After that, it launches the dropped DiskCryptor installer. When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters. The last step of Stage 1 is to reboot the system.
Stage 2 (Encryption)
Using the DiskCryptor software, the malware sets up a new bootloader to MBR.
The bootloader contains the ransom message for the victim. After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper.
When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen. Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.
Businesses concerned about their potential vulnerability to this threat are advised to:

•         Always install critical software patches released by developers and use the latest software versions.
•         Do not run or open attachments from untrusted sources.
•         Backup sensitive data to external storage and keep it offline.
•         Non-Kaspersky Lab customers can download the free Kaspersky Anti-Ransomware Tool for business (KART).
•         If a Kaspersky Lab solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on.