There are many opportunities to take advantage of Mamba’s procedural downfalls using free and available tools like Sysmon. The first of which is noticing the file writes in C:\Users\Public. A high number of file writes (Sysmon EID 11) in that directory is always unusual as the Public directory is not often utilized by users and is easily writable from an attacker’s perspective. Another opportunity is capturing the deleted configuration file when it is deleted (Sysmon EID 23). After the second reboot, the configuration file is removed, but once removed, it will automatically be stored in the Sysmon archive where it can be retrieved later. A sample Sysmon config will be provided to help detect these events. Utilizing centralized logging is imperative when detecting ransomware as using log sources like Sysmon can help detect hosts as files are getting encrypted and even before then.

Reference:
https://gist.github.com/thehack3r4chan/a13a97a125ec310b38e7b1026ac61f10 (Sysmon Config)
https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/
https://www.ic3.gov/Media/News/2021/210323.pdf