HDDCryptor

HDDCryptor, also known as Mamba, targets Windows OS and is distributed via files downloaded from malicious websites. When the initial binary file is executed, a number of files are downloaded into a root folder on the infected system. HDDCryptor then creates a user account named “mythbusters” along with a password of “123456.” It also adds a new boot service named “Defragment Service” to gain and maintain persistence. It uses a tool named netpass.exe to scan network folders and steal credentials. Executables dcon.exe and mount.exe are then used to encrypt files on the infected system’s hard drive as well as files located on all mapped network drives. One that process is complete, HDDCryptor proceeds to rewrite the Master Boot Records (MBRs) for all partitions containing a custom boot loader to prevent the operating system from loading after the system is restarted. It then reboots the infected system and displays a ransom note requesting the victim contact the attacker via email. HDDCryptor demands a ransom payment of 1 Bitcoin.

UPDATE 08/09/2017: Mamba has resurfaced, currently targeting corporations in Brazil and Saudi Arabia. The unknown group behind this campaign uses the PsExec utility to spread the ransomware across victims' networks. Mamba first creates a folder named C:\xampp\http and then drops the open-source partition encryption tool, DiskCryptor, into that folder. It then installs the driver for DiskCryptor, registers a system service called DefragmentService, and then reboots the infected system. Once rebooted, Mamba sets up a new bootloader to MBR that contains the ransom note, encrypts disk partitions using DiskCryptor, and reboots the system one more time, displaying the ransom note on the screen. There are currently no free decryption tools available for this variant.

  • Bleeping Computer provides more information about HDDCryptor here.
     
  • The NJCCIC is not currently aware of any free decryption tool available for HDDCryptor.