Danger level:  
  (99/100)

Mamba ransomware. How to delete? (Removal tutorial)

removal by Linas Kiguolis - - | Type: Ransomware
12

The comeback of Mamba – the destructive virus is distributed again

Mamba ransomware virus

Mamba ransomware is a malicious computer virus that is most known for attacking San Francisco’s Muni in 2016. The virus is also known as HDD Cryptor, and it functions similarly to Petya virus. The malware employs open-source full disk encryption software for Windows OS – DiskCryptor.

After infecting the system, Mamba runs its processes to encrypt files on the victim’s computer. After compromising the system, the virus restarts the computer to display a short message on a blank black screen. The virus says: “You are Hacked! H.D.D. Encrypted, Contact Us for Decryption Key (email address here). Your ID: [victim’s ID].”

Currently known variants of Mamba leave one of the following email addresses for the victims:

  • w889901665@yandex.com;
  • mrcrypt2017@yandex.com;
  • citrix2234@protonmail.com.

The ransomware suggests entering a “key” for data decryption. The key can be obtained only by paying a ransom to cyber criminals. According to several reports, the virus’s authors demand one Bitcoin per infected computer. More details regarding data recovery are revealed to the victim after one writes to one of the provided emails (we do not recommend doing so!).

Remember that cyber criminals aim to extort you, but that doesn’t mean that they are trustworthy enough to fulfill their part of the agreement, meaning that they might decide not to provide you with data recovery key. For this reason, we recommend you to keep your money to yourself and not waste them by playing by criminals’ rules.

You must remove Mamba virus from the system using a professional anti-malware software. You should choose a reliable security product to complete this task. We highly recommend Reimage for Mamba removal.

UPDATE. Mamba ransomware resurfaces in summer 2017

The malicious software was spotted rampaging in Brazil and Saudi Arabia in August 2017. The attacker leverages psexec utility to launch the ransomware on target computers. The ransomware creates a folder for DiskCryptor files on victim’s computer and uses it for data encryption later on.

Before compromising victim’s files, the virus prepares for this task first. Once it drops its components into the freshly created C:\Xampp\http folder, it installs DiskCryptor driver and registers a system service called DefragmentService. Once these tasks are complete, the virus restarts the compromised computer.

Finally, the malware setups a bootloader to MBR and starts the encryption process using the DiskCryptor. Finally, the virus reboots victim’s computer again to display the scary message asking to contact cybercriminals. In this new Mamba 2017 version, these emails are provided to the victim: mrcrypt2017@yandex.com and citrix2234@protonmail.com.

Mamba ransomware is best known for its attack against San Francisco’s Muni railway network. The virus successfully compromised railway’s computers, allowing passengers take rides for free.

The ransomware compromised over 2,112 computers. The cyber extortionists attempted to demand a ransom of 100 Bitcoin in exchange for network recovery, but the railway’s authorities rejected this “offer.”

Distribution of ransom-demanding viruses

Ransomware isn’t a Trojan, but it infects victim’s computer in a similar manner. Developers of ransomware tend to obfuscate the malicious payload in the form of a safe-looking email attachment, usually an archive or a document.

You should never attempt to open files or links you received from strangers. On top of that, stay away from Internet sites that seem untrustworthy to you. It can be hard to identify hazardous content online, especially if you are not a tech-savvy person, but that is why anti-spyware and anti-malware products are for.

They can help you to protect your PC from ransomware attack. Finally, you must create a data backup and update it regularly. This helps to recover encrypted files in case the ransomware successfully enters your computer unnoticed.

Remove Mamba ransomware from the system

We do not recommend you to test your malware removal skills and remove Mamba virus professionally. For that, you should rely on a secure malware removal tools. Ideally, use an up-to-date anti-malware program. If you do not have one yet, consider installing a program recommended by our team.

Remember that unsuccessful Mamba removal attempts can leave your files compromised for good. If you do not want to damage them permanently or if you do not want to cause more computer security-related problems, follow these expert tips on how to eliminate ransomware from an infected computer.

We might promote some affiliate products. An entire disclosure is provided in our Terms and Conditions. By Downloading any recommended Anti-spyware software to uninstall Mamba ransomware you accept our privacy policy and terms and conditions.
try it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Computer security experts recommend using Reimage to uninstall Mamba ransomware. Reimage scans the entire computer system and checks whether it is infected with spyware/malware or not. If you want to remove computer threats and secure your computer system, you should consider buying the licensed version of Reimage.

You can find more details about this program in Reimage review.

You can find more details about this program in Reimage review.
Press mentions on Reimage
Press mentions on Reimage

Manual Mamba Virus Removal Instructions:

Eliminate Mamba using Safe Mode with Networking

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

Sometimes viruses block security products. In such situation, eliminate Mamba while in Safe Mode with Networking.

  • Step 1: Restart your computer in Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Safe Mode with Networking from the list Choose 'Safe Mode with Networking' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Networking from the list of options in Startup Settings. Choose 'Enable Safe Mode with Networking' option
  • Step 2: Remove Mamba

    Sign in to your account and launch any Internet browser. Download a legitimate anti-malware software, for instance, Reimage. Make sure you update it to the latest version and then run a full system scan with it to detect and eliminate all malicious components of the ransomware to remove Mamba completely.

If your ransomware does not allow you to access Safe Mode with Networking, please follow the instructions provided below.

Eliminate Mamba using System Restore

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

  • Step 1: Restart your computer in Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Mamba and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with Reimage to uncover any remains of Mamba.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Mamba from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

We want to remind you that paying the ransom doesn't necessarily help to recover corrupted data. You might never get an answer from cyber criminals, especially after paying the amount of money they ask you. If you do not have a data backup, you should try these methods.

There are a couple of methods you can apply to recover data encrypted by Mamba:

Test Data Recovery Pro

Although the majority of data recovery tools will be useless when dealing with records corrupted by Mamba, you can try this one particular software recommended by us.

  • Download Data Recovery Pro (https://novirus.uk/download/data-recovery-pro-setup.exe);
  • Install Data Recovery on your computer following the steps indicated in the software’s Setup;
  • Run the program to scan your device for the data encrypted by Mamba ransomware;
  • Recover the data.

Recover individual files using Previous Copies

This method works on computers with a previously created system restore point in them.

  • Right-click on the encrypted document you want to recover;
  • Click “Properties” and navigate to “Previous versions” tab;
  • In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.

No tools capable of decrypting files locked by Mamba are available

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Mamba and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

About the author

Linas Kiguolis
Linas Kiguolis

If you found this free removal tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

More information about the author

Source: https://www.2-spyware.com/remove-mamba-ransomware-virus.html

Uninstall guides in different languages