Backdoors and trojan horses 2017-08-16 10:45:05 Mamba Ransomware Detected (Pre-Reboot)

Mamba is an ransomware, which post infection overwrites the existing Master Boot Record on a Windows installation, with a custom MBR and encrypts the hard drive leveraging an open source full disk encryption utility called DiskCryptor. It is unclear if the malware contains a propagation mechanism. However, it seems that a malware group exploit a network and after they gain access to an organizations network they use the psexec utility to execute the ransomware in the network.

QID Detection Logic:
This authenticated detection works by checking for the presence of a few files such as %SYSTEMDRIVE%\DC22\dcinst.exe, %SYSTEMDRIVE%\DC22\log_file.txt, %SYSTEMDRIVE%\xampp\http\dcinst.exe, %SYSTEMDRIVE%\xampp\http\log_file.txt that are found on an infected pre-reboot system.

Systems infected by this ransomware will have their files encrypted and rendered unusable until they pay a price to an anonymous party.

To Protect your systems:
- Use the Windows AppLocker feature to disable the execution of PSExec.exe.
- Disable WMI
- Disable SMBv1
- Make sure systems are running up to date anti-malware.
- Block ADMIN$ access via GPO.
- Maintain good back-ups so that if an infection occurs, you can restore your data.

Cleaning up Infected systems:
- Contact your Anti-Malware vendor to remove the infection.