Severity scale:  
  (99/100)

Remove Mamba ransomware / virus (Virus Removal Guide) - updated May 2019

removal by Linas Kiguolis - - | Type: Ransomware

Mamba ransomware is a file locking virus that not only locks up files but also rewrites Master Boot Record, preventing victims from entering the computer

Mamba ransomware virus

Mamba ransomware is a file locking virus that deviated from Phobos ransomware, which incorporates a lot of similarities with Dharma/CrySiS virus. The malware mostly uses weak RDP connections to propagate, although other methods, like spam emails, exploit kits, fake updates, etc., might be used as well.

Once inside, Mamba ransomware encrypts files on the local as well networked drives with the help of AES-2048 cipher. Initial variant of the virus used .phobos appendix, although other extensions were used later – .fendi, .phoenix, and others. The latest version[1] incorporates .id[XXXXXX-1130].[fileb@protonmail.com].mamba file extension, and drops info.txt/info.hta ransom note. After encrypting data, Mamba virus reboots the machine and prevents users from accessing the machine, as Master Boot Record is rewritten.

Questions about Mamba ransomware virus

To decrypt data or even be able to enter the device, hackers behind Mamba ransomware ask victims to contact them via a variety of different emails, depending on the virus variant – the latest one asks users to write to fileb@protonmail.com or back7@protonmail.ch. Unfortunately, there is currently no decryptor for this version available, but users can use alternative methods for data restore. Before that, however, the infected victims should remove Mamba ransomware from their device.

Name Mamba
Type of malware Ransomware
Also known as  HDD Cryptor, HDDCrypt
Related 152.exe141.exe, DefragmentService
File extensions .phobos, .fendi, .phoenix, .mamba
Symptoms Personal files inaccessible, lock screen displayed at boot
Danger High. Can cause permanent data loss and system's crach
Attacks being held in 2016 against San Francisco’s Municipal Transportation Agency
2017 attacked corporations in Brazil and Saudi Arabia
New strains detected in 2018, though attacks haven't yet been executed
Mamba victims should use Reimage Reimage Cleaner or another professional security tools to get rid of this malicious virus

Mamba virus attacked San Francisco’s Municipal Transportation Agency in November 2016 and asked to pay $73,000[2] ransom. In August 2017, ransomware came back and attacked several corporations in Brazil and Saudi Arabia.[3] Exhibiting modus operandi traits similar to Petya, Mamba ransomware targets data taking advantage of the DiskCryptor software. It is also known as HDD Cryptor, while the latest version known is dubbed as HDDCrypt. Detected at the end of March 2018, the virus does not deviate from its ancestors.

Reportedly, the virus drops 152.exe or 141.exe files on the computer, which are responsible for carrying out the encryption process. After encrypting victim’s files, the virus reboots the computer and displays the following message on the boot screen:

“You are Hacked ! H.D.D. Encrypted , Contact Us For Decryption Key (w889901665@yandex.com)
YOURID: [Victim’s ID]”

The victim can enter the decryption password on the boot screen; however, he or she needs to get one first. Victims have to get in touch with malware authors and get information on how to decrypt data and get access to the computer again. This virus asks to pay a ransom of 1BTC per 1 host. The money should be transferred to a provided Bitcoin wallet.

However, we always recommend users NOT to pay the ransom since it gives no guarantee that files will be decrypted[4]. Mamba removal is at utmost importance, and it should be completed using anti-malware tools, for example, Reimage Reimage Cleaner or SpyHunter 5Combo Cleaner.

2019: latest Mamba ransomware variants exploit weak RDPs for propagation

Mamba ransomware is based on Dharma, so its primary distribution method remains manual – breaking into the computers via RDP[5] and installing the malware is something that hackers practice every time they detect a potential victim.

Once again, after several months of a break, Mamba ransomware returned at the end of 2018 and is being actively distributed since. Hackers use a variety of contact addresses and ask for a different amount of ransom inside ransom notes.

The latest variant of Mamba ransomware uses .id[XXXXXX-1130].[fileb@protonmail.com].mamba file extension and demands an unknown amount of payment in Bitcoin, which is declared once the victim contacts crooks via fileb@protonmail.com or back7@protonmail.ch email addresses. Additionally, hackers also offer a free decryption service for 5 files that cannot contain important information.

Nevertheless, the ransom should not be paid, as users should instead remove Mamba ransomware and use alternative file recovery methods.

Mamba ransomware uses RDP for propagation
Latest Mamba ransomware variants closely remind of Dharma/CrySiS virus and are also propagated with the help of weak RDP connections

Experts warn about expected Mamba ransomware comeback in 2018

Mamba is not typical ransomware. Its developers organize an outbreak against organizations and demand for huge ransom. Once collected, goes idle for a while. Silent since 2017 August, Mamba is expected to come back in the form of HDDCrypt ransomware.[6]  

At the beginning of April 2018, ransomware researchers found out an unusual ransomware sample, which has been recognized as HDDCrypt by BitDefender, Emsisoft, Symantec, ESET-NOD32, and other reputable AV engines.[7] The current version rewrites PC's Master Boot Record sectors and locks the user out of his or her PC. As we have already mentioned, the modus operandi of Mamba ransomware reminds the infamous Petya, as well as Satana. It uses AES-256-06 cipher to lock victims PCs and activates a pirated copy of the open source software DiskCryptor. 

Luckily, Mamba ransomware HDDCrypt variant did not go wild. Most probably the ransomware is currently in the development phase, though people should be cautious. Do not download standalone file installers from suspicious sources, as well as freeware without checking the installation setup carefully. Finally, don't forget to install the latest updates for your OS and update the anti-virus program regularly. 

Mamba ransomware launched new attacks in August 2017

Mamba virus uses PSEXEC utility to install and run ransomware on the network. The same behavior we have seen in NotPetya operation. When it compromises the network, it creates a C: \xampp\http folder where it installs DiskCryptor components. This utility is used for executing ransomware on the local computer.

This tool also generates unique passwords for each computer that are connected to the same network by executing this command:

C: \TEMP\721.exe longPassword /accepteula

One of the sneakiest features of the malware is that it installs itself as a Windows Service and hides itself under the DefragmentationService name. It also gets LocalSystem privileges, so Mamba gets full control over the computer.

When preparatory work is over, and all malicious components are installed on the system, malware reboots the affected device. Then it configures bootloader to Master Boot Record (MBR) and starts data encryption with DiskCryptor.

Mamba encrypts disk partitions and shows an unusual ransom note. Cyber criminals demand to contact them by one of the provided emails in order to get decryption key:

  • mcrytp2017@yandex.com
  • citrix2234@protonmail.com

The ransom note also includes ransom unique victim’s ID number. However, we highly recommend not wasting your time with communicating with criminals and following their demands. You should remove Mamba automatically and restore your files from backups or use alternative recovery methods.

Mamba hit public transit system of San Francisco in November 2016

Mamba ransomware
Mamba ransomware is a file locking virus that has been active since 2016, although new variants come out regularly.

At the end of November of 2016, Mamba ransomware managed to find its way to San Fransisco Municipal railway system servers and corrupt essential records with unbreakable encryption. According to reports, the virus did hit 2,112 computers out of 8,656, blocking the email system, payment system and also railway scheduling system.

The virus displayed the same message on all railway system computers: You hacked, all data encrypted, contact for a key (cryptom27@yandex.ru)[8]. Ransomware managed to take down ticket dispensers, too.

What is more, the author of the Mamba malware has responded to some journalists from San Fransisco newspaper, saying that he didn't intend to infect the railway system, but since it has already happened, the organization has to pay 100 Bitcoin ($73,000) to get the decryption software.

The author calls himself Any Saolis, but obviously, that is not the real perpetrator's name. What is more, the attacker disclosed that he has gained access to private company's documents and that he is going to publish them online if the railway company refuses to pay the ransom[9].

However, the company has already restored the system and confirmed that attackers didn't manage to access any sensitive data at all[10]. The ransom wasn't paid.

Mamba ransomware infection
Mamba ransomware managed to compromise Muni railway system in San Francisco back in 2016, then initiated attacks on Brazil and Saudi Arabia corporations in 2017.

Distribution methods of the ransomware virus

The virus spreads like a Trojan horse, so the user can install it while thinking that it is a harmless file. You might download it from email after opening an infectious email attachment or launching a malicious software update.

Consequently, it is highly recommended to stay away from sites that provide questionable downloads or show pop-up alerts stating that you need to update your software urgently. Such bogus updates typically contain malware.

Besides, ransomware threats frequently spread with the help of exploit kits. To prevent ransomware attacks, users should:

  • protect their computers in advance by installing anti-malware programs,
  • creating data backups,
  • bypassing questionable sites on the Internet.

Elimination instructions for the Mamba ransomware

To remove Mamba virus, just as we have said, it is strongly advisable to use anti-malware utility, such as Reimage Reimage Cleaner or SpyHunter 5Combo Cleaner. We recommend using it because it is programmed by IT experts who analyze each virus individually and create algorithms capable of detecting all files belonging to viruses and removing them.

Unless you are an advanced IT expert, you should not try to carry out Mamba removal manually, because you risk to delete wrong files, leave virus’ components and other unwanted components on the computer system.

Currently, the free Mamba decryption tool has not been found; therefore, the only way to restore files is to copy and paste them on the computer from a backup.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Mamba virus, follow these steps:

Remove Mamba using Safe Mode with Networking

If you cannot run automatic Mamba elimination, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Mamba

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mamba removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mamba using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mamba. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Mamba removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mamba from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Although there is no free decryption tool released, please, do not panic and do not rush to pay the ransom. Criminals might send you an infectious file together with the decryption software, or provide no decryption tool at all. You can wait, if you want – sometimes security experts manage to come up with free decryption tools in case they succeed to crack the ransomware code. Of course, you can recover files from backup disk or drive – just remove Mamba virus first.

If your files are encrypted by Mamba, you can use several methods to restore them:

Data Recovery Pro might help to recover your data

If your files have been encrypted by Mamba, you can try Data Recovery Pro service. Install this program using these instructions:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mamba ransomware;
  • Restore them.

Mamba decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mamba and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages


  1. Ulric says:
    September 16th, 2016 at 5:46 am

    Mamba has infected my PC today, wheres the decryption software?

  2. Rosie says:
    September 16th, 2016 at 5:49 am

    Why my antivirus didnt block mamba virus ??

  3. Maison says:
    September 16th, 2016 at 5:50 am

    Mine didnt block it too, i think because I have never updated it, I have read that somewhere

  4. Manthye says:
    September 16th, 2016 at 5:53 am

    Literally just got my computer encrypted with this malware, I dont know what happened!!! I was browsing through the Internet, clicking on search results and exploring funny videos. Then I left my PC for like half an hour and this happened!

Your opinion regarding Mamba ransomware virus