This new ransomware hides in sight, removes itself and never calls home – good luck stopping it on time
- Advertisement -
Related Posts
- Advertisement -
- Mamona is performed quietly, never touches the internet and did not know itself, making it difficult to detect
- A delay of three seconds, followed by Self-Deletion, helps to avoid Mamona detection rules
- Ransomware behavior fits with normal activity, so that the response of the security team is postponed
Security researchers follow Mamona, a newly identified Ransomware tribe that stands out for its stripped-down design and quiet, local version.
Experts of Wazuh Suppose this ransomware avoids the usual dependence on command-and-control servers, instead for an independent approach that glides past tools, depending on network traffic analysis.
It is performed locally on a Windows system as a standing binary file, and this offline behavior imposes a blind spot in conventional defenses, so that a reconsideration of how even the Dear Antivirus And detection systems must function when there is no network.
Self -deletion and avoidance tactics complicate detection
After implementation, it initiates a delay of three seconds using a changed PING assignment, cmd.exe /c ping 127.0.0.7 -n 3> zero /f /q, and then self -traits.
This self -reference reduces forensic artifacts, making researchers more difficult to use the malware After it is executed.
Instead of using the popular 127.0.0.1, it uses 127.0.0.7, which helps to bypass detection rules.
This method avoids simple detection patterns and avoids leaving digital traces that can mark traditional file -based scanners.
It drops a ransom note with the title Readme.haes.txt and rename files with the .haes extension, which indicates a successful coding processing.
Wazuh warns that the “plug-and-play nature of the malware is lowering the barrier for cyber criminals, which contributes to the broader commoditization of ransomware.”
This shift suggests a need for more control of what is eligible if the Best ransomware protectionEspecially when such threats no longer need the external control infrastructure to cause damage.
The approach of Wazuh for detecting Mamona includes the integration of SYMON for log recording and the use of adapted rules to mark specific behavior, such as making ransom and on ping -based delays.
Rule 100901 focuses on making the file readme.haes.txt, while rule 100902 confirms the presence of ransomware when both ransom memorandum activity and the delay/self-reduced series appear together.
These rules help to identify indicators that can otherwise escape from more general monitoring setups.
To respond to Mamona before damage is done, Wazuh uses Yara rules and a real -time file integrity monitoring (FIM) system.
When a suspicious file is added or changed, especially in the download folder of a user, the Wazuh Active Response Module activates a Yara scan.
This immediate remediation mimics what one would expect from the Best DDOS -Protection Strategies, act quickly before a deeper compromise occurs.
While ransomware continues to evolve, the best antivirus solutions must also guarantee perfect protection, solutions with modular response defenders provide a flexible, evolving edge.
Maybe you like it too
- Advertisement -
