Mango Ransomware

The Mango Ransomware has been identified as a threatening program by cybersecurity experts. This insidious software employs a strategy of encrypting files on the compromised device and subsequently demanding payment for their decryption. Once initiated on the targeted system, the Mango Ransomware begins the encryption process, modifying the original filenames of the files in question.

To these filenames, Mango appends a distinctive ID assigned to the victim, the email address of the cybercriminal responsible, and a '.mango' extension. As an illustrative example, a file originally labeled '1.doc' transforms into '1.doc.id[9ECFA74E-3316].[duckjahana@onionmail.com].mango.'

Upon the completion of the encryption process, the malware generates two ransom notes. One of these notes appears as a pop-up window titled 'info.hta,' while the other is a text file named 'info.txt.' These files are deposited onto the desktop and distributed across all directories where encryption has occurred. It's noteworthy that the Mango Ransomware belongs to the Phobos Ransomware family, reflecting a broader categorization within the landscape of unsafe software.

The Ransom Note Left to the Victims of the Mango Ransomware

The content within the text file communicates that the files rendered inaccessible have undergone encryption, emphasizing the need for the victim to establish contact with the attackers to facilitate the decryption process.

Expanding upon the information, the pop-up message delves into the specifics of the ransomware infection. It clarifies that recovering the encrypted files necessitates the payment of a ransom. The amount of this ransom is purportedly contingent on how swiftly the victim reaches out to the cybercriminals. Importantly, the payment is specified to be made in Bitcoin, a form of cryptocurrency.

Before acquiescing to the ransom demands, the victim is granted the opportunity to test the decryption process on three affected files, subject to certain specifications. Simultaneously, a cautionary warning is issued, advising the victim against any modifications to the locked files, the use of third-party decryption tools, and seeking assistance from external parties. This underscores the critical nature of adhering to the specified instructions to optimize the chances of successful file recovery within the parameters set by the attackers.

Threatening Capabilities of the Mango Ransomware Threat

Mango, categorized as a variant within the Phobos family, belongs to a group of sophisticated malware threats. The characteristics of Phobos family malware differentiate it by strategically avoiding rendering infected systems nonoperational, leaving crucial files unencrypted to maintain system functionality. This ransomware variant is capable of encrypting both local files and those shared across a network.

To ensure effective encryption, the Phobos Ransomware terminates processes associated with files that might be considered 'in use' or actively open, such as those in text file readers or database programs. The intention is to prevent exemptions based on the files' active status during encryption.

While Phobos programs aim to reduce the likelihood of double encryption by sparing files locked by other ransomware, this approach has inherent limitations. It relies on a predetermined ransomware list, which, by its nature, cannot encompass all potential variations and combinations.

To impede data recovery efforts, the malware deletes the Shadow Volume Copies. Additionally, Phobos includes a geolocation feature, allowing it to collect data and determine whether to proceed with encryption based on factors such as economic strength or geopolitical considerations.

Ransomware programs like Phobos employ multiple techniques to ensure persistence. This includes copying themselves to specific paths and registering with Run keys for auto-start functionality following system reboots.

Decryption without the involvement of the attackers is rarely feasible, except in cases where the ransomware exhibits severe flaws. Despite meeting ransom demands, victims often do not receive the promised decryption tools. Therefore, paying the ransom is strongly discouraged, as it neither guarantees data recovery nor prevents the support of criminal activities.

To thwart further encryptions, removing the Mango Ransomware from the operating system is imperative. However, it's crucial to note that the removal process does not restore files already compromised by the ransomware. This diminishes the importance of preventive measures and comprehensive security practices to minimize the impact of such sophisticated malware threats.

The whole text of the ransom note generated by the Mango Ransomware is:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: duckjahana@onionmail.com
Write this ID in the title of your message -
Or text in the messenger Telegram: @santasupp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The text file created by the threat contains the following message:

'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: duckjahana@onionmail.com
Our online operator is available in the messenger Telegram: @santasupp'