Iranian Hackers Using “Mamba” Ransomware?

Are Iranian hackers involved in using the “Mambaransomware (or possibly be behind the ransomware)? It seems unclear but an article in November by Brian Krebs indicate there could be a connection.

What is Mamba?

According to Sophos, the Mamba ransomware scrambles every disk sector, including the Master File Table (MFT), the operating system, all applications, files and all personal data. Mamba installs the DiskCryptor Full Disk Encryption (FDE) tool (this type of software asks for a password at bootup, and decrypts every sector as it is read/encrypts every sector as it is written).

The details

The infection vector Mamba uses is not exactly known, but probably uses social engineering in the form of an email link for a user to click on. 

If a user does stupidly cause the Mamba ransomware to be downloaded, then on Windows system they would see the user account control (UAC) window appear asking to install MAMBA.EXE (!) What happens next if the software is allowed to install is:

  • Mamba installs itself as a Windows service (called DefragmentationService) using the local SYSTEM privileges.
  • The computer then reboots.
  • After reboot, Mamba then installs DiskCryptor and is located in the directory C:DC22.
  • At this stage, the user could recover their computer (the encryption is not complete): using the utility DCRYPT and selecting the Decrypt option, the user can see in plaintext, the file called log_file.txt will contain the password! However, if the user allows the computer to reboot beforehand, then the computer will be encrypted and the user has no way to know the password.
On older Windows system using Master Boot Records (MBR) on the hard drive, you will see something similar to what the Petya ransomware uses; on newer Windows systems, you wont see the message. In both cases, your only option is to wipe your hard drive; all data is gone.

The link with Iran

The blog of Brian Krebs( shows that Iranians may have used Mamba against targets, including the San Francisco Municipal Transportation Agency (SFMTA). Fare station terminals displayed the message, “You are Hacked. ALL Data Encrypted.” The messaged showed that the contact for the key to decrypt the computers could be obtained by contacting the email address

According to Krebs, the email address of was hacked by another hacker, who found the same credentials worked for the crytom2016@yandex email account. A server identified used in association with the user of the cryptom2016 account was used to scan for various vulnerabilities on the Internet, including for Oracle products, especially “Weblogic unserialize exploit” and the Primavera project portfolio management software.

The server used to launch the Oracle vulnerability scans had detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran

The attack server logs also included web links or IP addresses of each victim server, listing the hacked credentials and having notes made next to each victim by the attacker. The notes appeared to be transliterated Farsi

User account names on the attack server held other clues of Iranian involvement, such as names like “Alireza,” “Mokhi.” Alireza may pertain to Ali Reza, the seventh descendant of the prophet Muhammad. However… these are common names in and around Iran and could also indicate surrounding countries of origin (such names is also popular in Turkey and the Arab world). 

I would say, knowing what my country is capable of, that the Iranian state or Iranian cyber criminals ARE involved in using Mamba ransomware to extort money to further other cyber activities.