In an alert about Mamba ransomware, the FBI disclosed a weakness in the encryption process that could allow victims to decrypt files without paying the ransom, if the victim company acts quickly. Mamba relies on the open-source program DiskCryptor to encrypt the infected workstations’ hard drives. The issue arises when the Mamba has to restart the workstation to install the drivers needed for DiskCryptor. When the restart occurs, the encryption key and configuration for DiskCrypt are stored in a file called myConf.txt. Because the file is stored in plaintext, the FBI says organizations have a small two-hour window to retrieve the key from the file before the computer restarts a second time and the file is deleted. The reason this window is crucial is due to the fact that Mamba overwrites the master boot record (MBR) and can make live recovery difficult after the disk is encrypted.
Analyst Notes
There are many opportunities to take advantage of Mamba’s procedural downfalls using free and available tools like Sysmon. The first of which is noticing the file writes in C:UsersPublic. A high number of file writes (Sysmon EID 11) in that directory is always unusual as the Public directory is not often utilized by users and is easily writable from an attacker’s perspective. Another opportunity is capturing the deleted configuration file when it is deleted (Sysmon EID 23). After the second reboot, the configuration file is removed, but once removed, it will automatically be stored in the Sysmon archive where it can be retrieved later. A sample Sysmon config will be provided to help detect these events. Utilizing centralized logging is imperative when detecting ransomware as using log sources like Sysmon can help detect hosts as files are getting encrypted and even before then.
Reference:
https://gist.github.com/thehack3r4chan/a13a97a125ec310b38e7b1026ac61f10 (Sysmon Config)
https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/
https://www.ic3.gov/Media/News/2021/210323.pdf
