Mamona Ransomware represents a new wave of commodity ransomware, operating offline without proper C2 channels and relying on local encryption. It poses significant threats to users and organizations by encrypting files while utilizing coercive tactics in ransom notes. (Affected: End users, organizations)
Keypoints :
- Mamona Ransomware is a newly identified threat in the commodity ransomware landscape.
- It operates offline, with no external communication or data exfiltration.
- The malware employs local encryption using custom routines.
- It uses obfuscated techniques like ping for time delays.
- Claims of data theft in ransom notes are misleading; no data is actually exfiltrated.
- Files are encrypted and receive the .HAes extension.
- A decryption tool is available and has been tested successfully.
- Mamona’s design is simple, which can complicate detection efforts.
MITRE Techniques :
- Discovery: T1012 – Query Registry; T1082 – System Information Discovery (Malware queries local registries)
- Execution: T1059.003 – Command and Scripting Interpreter (Malware uses CMD to execute commands)
- Defense Evasion: T1070.004 – Indicator Removal (Self-deletion routine after execution)
- Impact: T1486 – Data Encrypted for Impact (User files are encrypted with .HAes extension)
Indicator of Compromise :
- The article mentions a SHA256 hash of the malware variants that could be used for detection.
- It lists the .HAes file extension as an indicator for encrypted files.
- Ransom notes labeled as README.HAes.txt can also be used to identify the presence of the ransomware.
- Local executions and the use of specific commands (like ping) can indicate suspicious activities.
Full Story: https://any.run/cybersecurity-blog/cybersecurity-blog/mamona-ransomware-analysis/
Views: 61