In an alert about Mamba ransomware, the FBI disclosed a weakness in the encryption process that could allow victims to decrypt files without paying the ransom, if the victim company acts quickly. Mamba relies on the open-source program DiskCryptor to encrypt the infected workstations’ hard drives. The issue arises when the Mamba has to restart the workstation to install the drivers needed for DiskCryptor. When the restart occurs, the encryption key and configuration for DiskCrypt are stored in a file called myConf.txt. Because the file is stored in plaintext, the FBI says organizations have a small two-hour window to retrieve the key from the file before the computer restarts a second time and the file is deleted. The reason this window is crucial is due to the fact that Mamba overwrites the master boot record (MBR) and can make live recovery difficult after the disk is encrypted.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is