On Tuesday, March 23, the FBI announced considerations and concerns about the growth of attacks based on Mamba Ransomware against government and private sector organizations.
The US Federal Bureau of Investigation sent this week (Tuesday, March 25) issued a private industry-identified threat notification to US organizations warning of attacks carried out by the Mamba ransomware gang, along with instructions to Consider to defend yourself, basic information on how organizations can recover from an attack if the intrusion is detected in its early stages.
In their alert Tuesday, FBI officials said the ransomware "has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing and construction companies." In the past, perhaps as in collateral damage, these campaigns reached Latin America, that is why DEFENSIONE issues this early warning, anticipating possible future attacks related to this adversary.
Mamba has been known as HDDCryptor since mid-2016. His most recognized case (in 2018) is that of the affectation of the Moscow cable car system, affecting its ordinary operation by this infection.
WHAT DO WE KNOW ABOUT MAMBA?
A reloaded ransomware
On November 30, 2018, open sources reported that Moscow's new cable car system was infected with ransomware two days after its launch. The infection started on Wednesday, November 28, 2018 and infected the servers of the Moscow Ropeway (MKD), which was tasked with configuring and managing the cable car service. MKD temporarily suspended cable car service once they realized their systems were under attack and were given the go-ahead to restore service on November 30, 2018. They had been silent until the last 60 days, DefensiONE has observed a growth based on the new known hashes that show direct relationship with Mamba being on March 24, so far, the highest peak of new related hashes Mamba shows changes in its new versions, however, they seem small updates throughout the years, but its basic principles remained the same, that is, it will first encrypt the data on the victim's hard drive and then rewrite the MBR (Master Boot Record) section of the disk.