HDDCryptor ransomware returns, now encrypts entire hard drives, not just single files
The newest surge in ransomware is drawing concern for its ability to encrypt entire hard drives. HDDCryptor, or Mamba, targets network resources such as folders, drives, files, serial ports and printers and then locks down the drive, according to security firm Trend Micro.
This differs vastly from the majority of ransomware families only able to target specific file types or folders on drives, removable media and networks.
Mamba is distributed through phishing email campaigns that redirect users to malicious websites, where the payload is downloaded in the background. It can also be added as a file dropped by other Malware, Trend Micro explained.
The surge in recent activity appears to have begun in late August. However, it’s not a new ransomware strain. It was first discovered in January 2016, but didn’t receive attention from security researchers or vendors as it wasn’t part of a massive distribution campaign.
HDDCryptor has the ability to find previously connected drives or cached disconnected network paths and connect it using all credentials using the tool netpass.exe, the Trend Micro Report found. It also adds a service called DefragmentService that runs at every boot, in the background.
After encryption, HDDCryptor rewrites all hard drive Master Boot Records with a custom boot loader. The computer reboots, without user input, and the ransomware note is displayed on the screen, the report found. Re-booting the computer is impossible, as it requires a decryption key.
The virus uses a hard-coded malware ID, implying the cybercriminals may only be using a single-decryption key, Trend Micro explained. For now, the virus is only targeting Windows users.