Poisonous Mamba Ransomware Overwrites Your Master Boot Record, Encrypts Your Entire Hard Drive

mamba snake 2
We’ve seen some rather nasty ransomware making the rounds over the past few months, but a new strain is wreaking havoc on computers around the globe. Brazilian firm Morphus Labs first discovered the Windows-based ransomware, which has been given the name Mamba.

So far, Mamba has been found on computers located in Brazil, India and even the United States. According to Morphus Labs researcher Renato Marinho, Mamba has been spreading as a result of people being tricked into interacting with phishing emails. Once a user has been “hooked”, Mamba gets down to business by infecting the host machine, and then proceeds to overwrite the PC’s Master Boot Record (MBR).

But whereas most ransomware will encrypt individual files or even entire folders on your PC, Mamba’s dirty little secret is that it will encrypt your entire hard drive. “Mamba encrypts the whole partitions of the disk,” said Marinho. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”

Since Mamba encrypts entire partitions on infected hard drives, don’t even think about booting into your Windows environment after infection. Instead, you will be faced with a password prompt upon boot:

mamba morphus labs

You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152

And as you might have guessed, you will have to pay in order to obtain the password to decrypt your hard drive and access Windows (and the rest of your files). In this case, the ransom payment amounts to 1 bitcoin, or roughly $600.

Needless to say, Mamba is a pretty nasty package, which is why Morphus Labs named it after the poisonous snake. We want to remind our readers to stay vigilant; ignore suspicious emails (especially from people you don’t recognize) and by all means don’t go surfing into some of the seedier areas of the internet. It’s likely more trouble than it’s worth.


Via:  Threat Post
Show comments blog comments powered by Disqus