Mamba virus Removal Guide
Description of Mamba ransomware
The comeback of Mamba – the destructive virus is distributed again
Mamba ransomware is a malicious computer virus that is most known for attacking San Francisco’s Muni in 2016. The virus is also known as HDD Cryptor, and it functions similarly to Petya virus. The malware employs open-source full disk encryption software for Windows OS – DiskCryptor.
After infecting the system, Mamba runs its processes to encrypt files on the victim’s computer. After compromising the system, the virus restarts the computer to display a short message on a blank black screen. The virus says: “You are Hacked! H.D.D. Encrypted, Contact Us for Decryption Key (email address here). Your ID: [victim’s ID].”
Currently known variants of Mamba leave one of the following email addresses for the victims:
The ransomware suggests entering a “key” for data decryption. The key can be obtained only by paying a ransom to cyber criminals. According to several reports, the virus’s authors demand one Bitcoin per infected computer. More details regarding data recovery are revealed to the victim after one writes to one of the provided emails (we do not recommend doing so!).
Remember that cyber criminals aim to extort you, but that doesn’t mean that they are trustworthy enough to fulfill their part of the agreement, meaning that they might decide not to provide you with data recovery key. For this reason, we recommend you to keep your money to yourself and not waste them by playing by criminals’ rules.
You must remove Mamba virus from the system using a professional anti-malware software. You should choose a reliable security product to complete this task. We highly recommend FortectIntego for Mamba removal.
Mamba virus doesn't state how much money it wants for the data decryption key, but it suggests writing to one of provided emails for more information regarding data recovery.
UPDATE. Mamba ransomware resurfaces in summer 2017
The malicious software was spotted rampaging in Brazil and Saudi Arabia in August 2017. The attacker leverages psexec utility to launch the ransomware on target computers. The ransomware creates a folder for DiskCryptor files on victim’s computer and uses it for data encryption later on.
Before compromising victim’s files, the virus prepares for this task first. Once it drops its components into the freshly created C:\Xampp\http folder, it installs DiskCryptor driver and registers a system service called DefragmentService. Once these tasks are complete, the virus restarts the compromised computer.
Finally, the malware setups a bootloader to MBR and starts the encryption process using the DiskCryptor. Finally, the virus reboots victim’s computer again to display the scary message asking to contact cybercriminals. In this new Mamba 2017 version, these emails are provided to the victim: firstname.lastname@example.org and email@example.com.
Mamba ransomware is best known for its attack against San Francisco’s Muni railway network. The virus successfully compromised railway’s computers, allowing passengers take rides for free.
The ransomware compromised over 2,112 computers. The cyber extortionists attempted to demand a ransom of 100 Bitcoin in exchange for network recovery, but the railway’s authorities rejected this “offer.”
Distribution of ransom-demanding viruses
Ransomware isn’t a Trojan, but it infects victim’s computer in a similar manner. Developers of ransomware tend to obfuscate the malicious payload in the form of a safe-looking email attachment, usually an archive or a document.
You should never attempt to open files or links you received from strangers. On top of that, stay away from Internet sites that seem untrustworthy to you. It can be hard to identify hazardous content online, especially if you are not a tech-savvy person, but that is why anti-spyware and anti-malware products are for.
They can help you to protect your PC from ransomware attack. Finally, you must create a data backup and update it regularly. This helps to recover encrypted files in case the ransomware successfully enters your computer unnoticed.
Remove Mamba ransomware from the system
We do not recommend you to test your malware removal skills and remove Mamba virus professionally. For that, you should rely on a secure malware removal tools. Ideally, use an up-to-date anti-malware program. If you do not have one yet, consider installing a program recommended by our team.
Remember that unsuccessful Mamba removal attempts can leave your files compromised for good. If you do not want to damage them permanently or if you do not want to cause more computer security-related problems, follow these expert tips on how to eliminate ransomware from an infected computer.
Getting rid of Mamba virus. Follow these steps
In-depth guide for the Mamba elimination
Sometimes viruses block security products. In such situation, eliminate Mamba while in Safe Mode with Networking.
The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.
Step 1. Launch Safe Mode with Networking
Safe Mode environment offers better results of manual virus removal
Windows 7 / Vista / XP
- Go to Start.
- Choose Shutdown, then Restart, and OK.
- When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click the Start button and choose Settings.
- Scroll down to find Update & Security.
- On the left, pick Recovery.
- Scroll to find Advanced Startup section.
- Click Restart now.
- Choose Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Choose 5) Enable Safe Mode with Networking.
Step 2. End questionable processes
You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:
- Press Ctrl + Shift + Esc keys to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes.
- Look for anything suspicious.
- Right-click and select Open file location.
- Go back to the Process tab, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check the program in Startup
- Press Ctrl + Shift + Esc on your keyboard again.
- Go to the Startup tab.
- Right-click on the suspicious app and pick Disable.
Step 4. Find and eliminate virus files
Data related to the infection can be hidden in various places. Follow the steps and you can find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
- Scroll through the Files to delete and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Eliminate Mamba using System Restore
Step 1: Restart your computer in Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Go to Start → Shutdown → Restart → OK.
- As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
- Choose Command Prompt from the list
Windows 10 / Windows 8
- Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
- Then select Troubleshoot → Advanced options → Startup Settings and click Restart.
- Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings.
Step 2: Perform a system restore to recover files and settings
- When the Command Prompt window appears, type in cd restore and press Enter.
- Then type rstrui.exe and hit Enter..
- In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Mamba and then click on the Next button again.
- To start system restore, click Yes.
Bonus: Restore your filesUsing the tutorial provided above you should be able to eliminate Mamba from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.
We want to remind you that paying the ransom doesn't necessarily help to recover corrupted data. You might never get an answer from cyber criminals, especially after paying the amount of money they ask you. If you do not have a data backup, you should try these methods.
There are a couple of methods you can apply to recover data encrypted by Mamba:
Test Data Recovery Pro
Although the majority of data recovery tools will be useless when dealing with records corrupted by Mamba, you can try this one particular software recommended by us.
- Download Data Recovery Pro;
- Install Data Recovery on your computer following the steps indicated in the software’s Setup;
- Run the program to scan your device for the data encrypted by Mamba ransomware;
- Recover the data.
Recover individual files using Previous Copies
This method works on computers with a previously created system restore point in them.
- Right-click on the encrypted document you want to recover;
- Click “Properties” and navigate to “Previous versions” tab;
- In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.
No tools capable of decrypting files locked by Mamba are available
It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Mamba and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
How to prevent from getting ransomware
Securely connect to your website wherever you are
Sometimes you may need to log in to a content management system or server more often, especially if you are actively working on a blog, website, or different project that needs constant maintenance or that requires frequent content updates or other changes. Avoiding this problem can be easy if you choose a dedicated/fixed IP address. It's a static IP address that only belongs to a specific device and does not change when you are in different locations.
VPN service providers such as Private Internet Access can help you with these settings. This tool can help you control your online reputation and successfully manage your projects wherever you are. It is important to prevent different IP addresses from connecting to your website. With a dedicated/fixed IP address, VPN service, and secure access to a content management system, your project will remain secure.
Recover files damaged by a dangerous malware attack
Despite the fact that there are various circumstances that can cause data to be lost on a system, including accidental deletion, the most common reason people lose photos, documents, videos, and other important data is the infection of malware.
Some malicious programs can delete files and prevent the software from running smoothly. However, there is a greater threat from the dangerous viruses that can encrypt documents, system files, and images. Ransomware-type viruses focus on encrypting data and restricting users’ access to files, so you can permanently lose personal data when you download such a virus to your computer.
The ability to unlock encrypted files is very limited, but some programs have a data recovery feature. In some cases, the Data Recovery Pro program can help recover at least some of the data that has been locked by a virus or other cyber infection.