Mamai Ransomware
The malware tracked as Mamai can cause significant damage to the devices it infects successfully. When executed, it immediately begins encrypting files and appending their filenames with a '.mamai10' extension. For example, a file that was originally named '1.doc' would appear as '1.doc.mamai10' after encryption. However, the specific number used in the new extension may vary depending on the specific variant of the ransomware. Another noteworthy fact is that the Mamai Ransomware is a variant belonging to the MedusaLocker malware family.
Once the encryption process was complete, Mamai then created a message demanding ransom called 'How_to_back_files.html' and placed it on the desktop of the infected machine. It's worth noting that based on the contents of the ransom message, it appears that the Mamai Ransomware is primarily aimed at targeting companies rather than individual home users.
The Mamai Ransomware Leaves a Note with Demands to Its Victims
In Mamai's ransom note, it is stated that the victim's company network has been compromised, and the files have been encrypted using RSA and AES cryptographic algorithms. The note warns against renaming or modifying the encrypted files or using third-party decryption tools, as it will result in permanent data loss. Additionally, the attackers have apparently exfiltrated the victim's confidential and personal data, meaning that the threat actors are running a double-extortion operation.
The attackers are demanding a ransom from the victim, and if they refuse to pay, their data will remain inaccessible, and the stolen content will be leaked or sold. The note does not indicate the size of the ransom, but it mentions that if the victim does not initiate contact with the cyber criminals within 72 hours, the ransom will increase. Furthermore, the note suggests that the victim can test decryption by sending the attackers two to three encrypted files before paying the ransom.
Following a ransomware infection, decryption is usually impossible without the attackers' involvement. However, victims may be able to restore their data without contacting the cybercriminals if the specific ransomware is still in development or has serious flaws.
Despite meeting the ransom demands, victims often do not receive the decryption keys or tools. Therefore, we strongly advise against paying the ransom since data recovery is not guaranteed, and paying also supports criminal activity.
Take the Security of Your Devices and Data Seriously
To boost the security of their devices and data and prevent ransomware attacks, users should adopt a comprehensive approach that includes both technical measures and best practices. Firstly, they should ensure that all their devices, including computers, mobile devices, and IoT devices, are updated with the latest software and security patches. This helps to prevent vulnerabilities that could be exploited by attackers.
Users should implement strong and unique passwords for all their online accounts and devices and enable two-factor authentication where possible. This thwarts for attackers from gaining unauthorized access to their accounts and devices.
It is crucial always to be cautious when accessing email attachments or clicking on links from unknown sources. These could be phishing emails designed to trick them into downloading ransomware or other malware.
One of the best measures against the damage caused by ransomware threats is to create regular backups of all important files and data. The backups should be stored in secure, offline locations. This enables victims to recover their data in case of a ransomware attack or other disaster.
Lastly, users should educate themselves on ransomware and other cybersecurity threats and adopt a proactive mindset toward cybersecurity. This includes keeping up with the latest threats, staying vigilant, and being prepared to respond to an attack. By adopting these measures, users can boost their security and prevent ransomware attacks from causing significant damage to their devices and data.
The ransom-demanding message of the Mamai Ransomware is:
'YOUR PERSONAL ID:
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!Your files are safe! Only modified. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.No software available on internet can help you. We are the only ones able to
solve your problem.We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..We only seek money and our goal is not to damage your reputation or prevent
your business from running.You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.Contact us for price and get decryption software.
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Note that this server is available via Tor browser only
Follow the instructions to open the link:
Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Start a chat and follow the further instructions.
If you can not use the above link, use the email:
ithelp01@decorous.cyou
ithelp01@wholeness.businessTo contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.'
