It still isn’t clear why Sophos Labs, which discovered the malware, decided to name it after a species of poisonous snakes, but so be it. We, on the other hand, deemed it more important to explain how Mamba encrypts all hard disks and shared resources present on the infected machine which caused 25 per cent of SFMTA’s computers to be compromised during the incident, resulting in a breakdown of its ticketing service.
On November 26, the day of the attack, all terminal screens broadcasted the following message: “You are hacked, all data encrypted”. The threat urged the agency to contact a certain firstname.lastname@example.org in order to obtain the key and unlock the data taken hostage.
According to the SFMTA’s website, the ransom request went up to $73,000. Knowing that this would mean maintaining the total blockage of tramway and metro terminals, the agency officials still refused to pay the price. This impossible situation is what ultimately led to people travelling for free throughout the entire Thanksgiving weekend.
By opposing this digital blackmail, the city of California lost nearly $550,000 which is seven times more than the ransom demanded. Some will ask: why didn’t the SFMTA just go ahead and pay the hackers? Was this a testimony of their refusal to bow down to cybercrime? Or was it simply because of good old-fashioned pride?
Mamba and cyber-snake hunt
Although it spreads pretty much the same way as a Trojan horse, Mamba (also called HDDCryptor) doesn’t exactly behave like your ordinary ransomware. The latter doesn’t just encrypt user personal data but goes even further than the infamous Petya, which is known for attacking the Master File Table. The malware that picked a quarrel with the SFMTA profits aims to spread its venom at disk sector levels, including the MFT, the OS, the applications, the shared files, as well as the user’s personal data. But before going more into detail, let’s take a step back and look at how the incident actually started. It’s a typical click-a-suspicious-link that downloads an infected attachment. The funny thing is that Windows actually asks you for your permission to install Mamba, which it identifies as an unknown application.
What makes Mamba really sneaky is the fact that it runs its malicious code in the background and installs itself as a service on the machine in order to obtain admin privileges. It then triggers the stealthy installation of Netpass, a free network password recovery software, and DiskCryptor, a low-level software used for full disk encryption.
Netpass.exe is used to scan all shared network files which the user might have previously accessed in order to retrieve login credentials. The infection continues with DiskCryptor, encrypting the files belonging to the very same user. Dccon.exe encrypts the contents of the hard disk itself, while Mount.exe encrypts the contents of all accessible network drives (either physically or physically).
At the end of the encryption process, Mamba rewrites all MBRs (Main Boot Records). It then alters the boot sectors on all partitions of the hard disk. Once the computer is restarted, the Mamba effect becomes irreversible. You probably could have retrieved the encryption password by accessing the log of DiskCryptor in log_file.txt, but that would have required you to actually be aware of the ongoing encryption process. At this point, you have no access to the key used for encryption. Instead, a classic boot screen appears, instructing you on how to pay your ransom.
The snake biting its own tail
The SFMTA hack is now over and the Californian railways are up and running again. Acting as one Andy Saolis, the hacker didn’t get a single bitcoin and user data remained uncompromised. Yes, the city hall of San Francisco had to replace all the infected machines, but it’s a relatively low cost to pay in order to prevent Mamba’s venom from spreading to the entire system.
More than that, what goes around comes around – and Andy the hacker can’t deny this. Just a few days after the cyber-attack, the latter was hacked as well by a cybersecurity researcher. According to the Krebs on security blog, the expert, who preferred to remain anonymous, claims to have infiltrated the account belonging to “email@example.com”. The white hat vigilante was able to trace the history of the offender and reveal that the first ransom request was sent to the SFMTA on Friday, November 25, more specifically, to a Mr. Cunningham, in charge of the company’s network infrastructure.
The investigation also showed that the cybercriminal wasn’t particularly targeting San Francisco’s municipal transportation agency. According to Kreb’s source, Andy Saolis wasn’t even successful at his first try. Among his other victims, the expert was able to identify mostly American SMEs, which is most likely the reason why he’s managed to stay under the radar so far.
What brings a little humor to this whole situation is that the author of Mamba also offers to secure his victims’ network (in exchange for a more significant ransom, of course). Unfortunately, companies willing to pay the price will soon realize that this is no more than a scam. On the one hand, the proposal is coming from a person who wasn’t even able to protect his own account. On the other hand, the services proposed by Andy Saolis consist in showering his new “clients” with Oracle security patch links.
Our story ends with a happy ending this time, but the consequences could be devastating next time around. Mamba’s bite can impact any critical infrastructure, not just transportation networks. According to a report issued by the ICIT (the Institute of Critical Infrastructure Technologies), ransomware has already declared war on key service providers. Indeed, the examples are there. The SFMTA is just another ‘accomplishment’ in the disturbing list of essential operator hacks, including health institutions, distribution networks – energy, electricity, water – and digital service providers, all victimized by either Mamba, Petya, Locky and so on.
Instead of blindly placing our faith in the promise of a snake or applying a rigid incident response policy, ICIT calls for an approach tailored to the needs of each infrastructure. However, potential solutions must be built following two main axes: prevention and response. How to avoid being bitten by Mamba? We’ve said this time and time again: the answer lies in training and raising staff awareness.
Still, to ensure success, one must always assume that this first axis will fail at one point or another, hence the need to have the right tools in place in order to detect malicious anomalies and stop the infection before it compromises the entire network. Better be known as a “cyber-pessimist” and always have a back-up, than face failure unprepared. This way, you also ensure the reaction axis, restoring your company’s services in record time. Whether we’re talking about the SFMTA or the Hollywood Presbyterian Hospital, the ultimate goal is to prevent black hats from disrupting your business. Right?
Cristina Ion (@_cristinaion_ or @Reveelium_AI) is the Community Manager of Reveelium Inc., a subsidiary of the French cybersecurity provider, ITrust and specialised in behaviour analytics and machine learning applied to the field of cybersecurity.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…