Mamba
Mamba, also referred to as HDDCrypt or HDDCryptor, is a ransomware family first reported in 2016 that encrypts entire hard drive partitions rather than only individual files. It uses disk-level cryptography and leverages the open-source DiskCryptor utility to encrypt disks, then writes a custom boot loader to the master boot record (MBR), preventing the infected system from booting normally and displaying its own ransom screen at startup. Reported ransom demands included one Bitcoin.
High-confidence reporting in the provided content states that Mamba was initially discovered by Morphus Labs in Brazil, with infections also identified in the United States and India. It was believed to spread through phishing emails and malicious downloads. The malware was described as using legitimate tools including DiskCryptor and Netpass, and using dccon.exe and mount.exe during encryption activity, including encrypting local files and mapped network drives.
The ransom note text cited in the content included: "You are Hacked ! H.D.D. Encrypted , Contact Us For Decryption Key", with contact email w889901665@yandex.com and a victim identifier field such as "YOURID: 123152". The malware has been compared to Petya because both manipulate the boot process, but the provided reporting emphasizes that Mamba relies on whole-partition disk encryption rather than traditional file-by-file encryption. Additional reporting in the content notes that new variants were observed in the second half of 2019 and that Mamba gained traction again in attacks around Q1 2020.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Persistence
1 technique
Persistence
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Impact
3 techniques
Impact
A variant of ransomware has been discovered, which encrypts not only files, but the entire hard drive as well... It will then use two programs called "dccon.exe." and "mount.exe," which are responsible for encrypting the files on the computer, and all mapped network drives.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that overwrites the Master Boot Record (MBR), manipulates the boot process, and encrypts entire disk partitions rather than only individual files. It also encrypts files on the computer and mapped network drives, preventing the PC from booting unless a decryption key is provided.
2FA-focused phishing kit; content discusses URL-parameter-based detection improvements (base64-encoded parameters).
Ransomware that leverages the open-source DiskCryptor and writes a custom bootloader to the MBR; noted as gaining traction with new variants (including one found in H2 2019).
Ransomware known here for leveraging DiskCryptor to lock victim machines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.