Mamba Removal

May 20, 2019

What is Mamba

Mamba ransomware is a dangerous cyber threat that encrypts files on the drive and also lockers users out of their PCs.

Mamba ransomware is a file locking virus that deviated from Phobos ransomware, which incorporates a lot of similarities with Dharma/CrySiS virus. The malware mostly uses weak RDP connections to propagate, although other methods, like spam emails, exploit kits, fake updates, etc., might be used as well.

Once insIde, Mamba ransomware encrypts files on the local as well networked drives with the help of AES-2048 cipher. Initial variant of the virus used .Phobos appendix, although other extensions were used later – .Fendi, .Phoenix, and others. The latest version incorporates .Id..Mamba file extension, and drops info.txt/info.hta ransom note. After encrypting data, Mamba virus reboots the machine and prevents users from accessing the machine, as Master Boot Record is rewritten.

Mamba Removal

How does Mamba works

Download Removal Toolto remove Mamba

How to remove Mamba ransomware virus? 16/08/17 1 Mamba virus on my friend’S computer 16/09/16 1

To decrypt data or even be able to enter the device, hackers behind Mamba ransomware ask victims to contact them via a variety of different emails, depending on the virus variant – the latest one asks users to write to fileb@protonmail.com or back7@protonmail.ch. Unfortunately, there is currently no decryptor for this version available, but users can use alternative methods for data restore. Before that, however, the infected victims should remove Mamba ransomware from their device.

Mamba virus attacked San Francisco’s Municipal Transportation Agency in November 2016 and asked to pay $73,000 ransom. In August 2017, ransomware came back and attacked several corporations in Brazil and Saudi Arabia. Exhibiting modus operandi traits similar to Petya, Mamba ransomware targets data taking advantage of the DiskCryptor software. It is also known as HDD Cryptor, while the latest version known is dubbed as HDDCrypt. Detected at the end of March 2018, the virus does not deviate from its ancestors.

Reportedly, the virus drops 152.exe or 141.exe files on the computer, which are responsible for carrying out the encryption process. After encrypting victim’s files, the virus reboots the computer and displays the following message on the boot screen:

The victim can enter the decryption password on the boot screen; However, he or she needs to get one first. Victims have to get in touch with malware authors and get information on how to decrypt data and get access to the computer again. This virus asks to pay a ransom of 1BTC per 1 host. The money should be transferred to a provided Bitcoin wallet.

However, we always recommend users NOT to pay the ransom since it gives no guarantee that files will be decrypted. Mamba removal is at utmost importance, and it should be completed using anti-malware tools, for example, or Combo Cleaner.

Download Removal Toolto remove Mamba

How to delete Mamba

Mamba ransomware is based on Dharma, so its primary distribution method remains manual – breaking into the computers via RDP and installing the malware is something that hackers practice every time they detect a potential victim.

Once again, after several months of a break, Mamba ransomware returned at the end of 2018 and is being actively distributed since. Hackers use a variety of contact addresses and ask for a different amount of ransom inside ransom notes.

The latest variant of Mamba ransomware uses .id..Mamba file extension and demands an unknown amount of payment in Bitcoin, which is declared once the victim contacts crooks via fileb@protonmail.com or back7@protonmail.ch email addresses. Additionally, hackers also offer a free decryption service for 5 files that cannot contain important information.

Nevertheless, the ransom should not be paid, as users should instead remove Mamba ransomware and use alternative file recovery methods.

Latest Mamba ransomware variants closely remind of Dharma/CrySiS virus and are also propagated with the help of weak RDP connections

Mamba is not typical ransomware. Its developers organize an outbreak against organizations and demand for huge ransom. Once collected, goes idle for a while. Silent since 2017 August, Mamba is expected to come back in the form of HDDCrypt ransomware.

At the beginning of April 2018, ransomware researchers found out an unusual ransomware sample, which has been recognized as HDDCrypt by BitDefender, Emsisoft, Symantec, ESET-NOD32, and other reputable AV engines. The current version rewrites PC’S Master Boot Record sectors and locks the user out of his or her PC. As we have already mentioned, the modus operandi of Mamba ransomware reminds the infamous Petya, as well as Satana. It uses AES-256-06 cipher to lock victims PCs and activates a pirated copy of the open source software DiskCryptor.

Luckily, Mamba ransomware HDDCrypt variant did not go wild. Most probably the ransomware is currently in the development phase, though people should be cautious. Do not download standalone file installers from suspicious sources, as well as freeware without checking the installation setup carefully. Finally, don’T forget to install the latest updates for your OS and update the anti-virus program regularly.

Mamba virus uses PSEXEC utility to install and run ransomware on the network. The same behavior we have seen in NotPetya operation. When it compromises the network, it creates a C: \xampp\http folder where it installs DiskCryptor components. This utility is used for executing ransomware on the local computer.

This tool also generates unique passwords for each computer that are connected to the same network by executing this command:

One of the sneakiest features of the malware is that it installs itself as a Windows Service and hides itself under the DefragmentationService name. It also gets LocalSystem privileges, so Mamba gets full control over the computer.

Download Removal Toolto remove Mamba

When preparatory work is over, and all malicious components are installed on the system, malware reboots the affected device. Then it configures bootloader to Master Boot Record (MBR) and starts data encryption with DiskCryptor.

Mamba encrypts disk partitions and shows an unusual ransom note. Cyber criminals demand to contact them by one of the provided emails in order to get decryption key:

mcrytp2017@yandex.com citrix2234@protonmail.com

The ransom note also includes ransom unique victim’s ID number. However, we highly recommend not wasting your time with communicating with criminals and following their demands. You should remove Mamba automatically and restore your files from backups or use alternative recovery methods.

At the end of November of 2016, Mamba ransomware managed to find its way to San Fransisco Municipal railway system servers and corrupt essential records with unbreakable encryption. According to reports, the virus did hit 2,112 computers out of 8,656, blocking the email system, payment system and also railway scheduling system.

The virus displayed the same message on all railway system computers: You hacked, all data encrypted, contact for a key (cryptom27@yandex.ru). Ransomware managed to take down ticket dispensers, too.

What is more, the author of the Mamba malware has responded to some journalists from San Fransisco newspaper, saying that he didn’T intend to infect the railway system, but since it has already happened, the organization has to pay 100 Bitcoin ($73,000) to get the decryption software.

The author calls himself Any Saolis, but obviously, that is not the real perpetrator’S name. What is more, the attacker disclosed that he has gained access to private company’S documents and that he is going to publish them online if the railway company refuses to pay the ransom.

However, the company has already restored the system and confirmed that attackers didn’T manage to access any sensitive data at all. The ransom wasn’T paid.

The virus spreads like a Trojan horse, so the user can install it while thinking that it is a harmless file. You might download it from email after opening an infectious email attachment or launching a malicious software update.

Consequently, it is highly recommended to stay away from sites that provide questionable downloads or show pop-up alerts stating that you need to update your software urgently. Such bogus updates typically contain malware.

Protect their computers in advance by installing anti-malware programs, Creating data backups, Bypassing questionable sites on the Internet.

To remove Mamba virus, just as we have said, it is strongly advisable to use anti-malware utility, such as or Combo Cleaner. We recommend using it because it is programmed by IT experts who analyze each virus individually and create algorithms capable of detecting all files belonging to viruses and removing them.

Unless you are an advanced IT expert, you should not try to carry out Mamba removal manually, because you risk to delete wrong files, leave virus’ components and other unwanted components on the computer system.

Currently, the free Mamba decryption tool has not been found; Therefore, the only way to restore files is to copy and paste them on the computer from a backup.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to Mamba. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove Mamba Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for Mamba or anything related to it, and once you find it, press ‘Remove’.

Uninstall Mamba Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for Mamba or anything related to it, and once you find it, press ‘Remove’.

Delete Mamba Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for Mamba or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If Mamba.safariextz appears on the list, select it and press ‘Clear’.

Remove Mamba Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for Mamba or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that Mamba is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the Mamba program.
  7. Select Mamba or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from Mamba

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Download Removal Toolto remove Mamba

Use Chrome Clean Up Tool to Delete Mamba

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect Mamba, go back to the Clean up computer and reset settings.

Reset Mozilla Firefox to Default

If you still find Mamba in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *

*