MaMoCrypt Ransomware

While the MaMoCrypt Ransomware shows little deviation from what is considered the typical behavior for such a threat at the surface, taking a closer look at the underlying code reveals some rather peculiar details. The MaMoCrypt Ransomware is a crypto locker threat based on the MZRevenge Ransomware. It is packed using 'mpress.'

Once inside the targeted computer, the MaMoCrypt Ransomware will proceed to delete the Shadow Volume Copies created by the default Windows backup service. The threat also will disable both the default firewall and the User Account Control facility. The real unique features, however, begin with the start of the encryption process. The MaMoCrypt Ransomware goes after files located in a list of 23 hardcoded locations. They include most of the folders in 'C:\Users\%user%' path, DRIVES A-Z, WITHOUT C, the Steam folder located under Program Files, and 'C:\ProgramData\Microsoft\Windows\Start Menu\.' The MaMoCrypt Ransomware affects nearly all filetypes, more specifically, the threat is capable of encrypting a total of 339 specific file extensions.

When it begins the encryption process, the MaMoCrypt Ransomware generates two keys and a mask employed in creating two encryption keys for every file subsequently. The data will first be encrypted using the AES-128 CBC algorithm, but then it will be put through another encryption, this time with Twofish-128 CFB. Every 'locked' file will have the extension '.MZ173802' appended to its original filename. The ransom note will then be dropped in sequential order in every folder containing encrypted files. The name of the text file carrying the instructions from the hackers is 'How Do I Recover My Files (Readme).txt.'

Fortunately for victims of the MaMoCrypt Ransomware, the researchers have released a decryption tool that should be capable of restoring most of the data. There are two very important caveats that must be mentioned, though. Due to the threat's unique encryption system, the decryption process depends extremely on the resultant order in which the files were encrypted. Due to hackers failing to notice certain encryption configurations' errors, files bigger than 4GB will be damaged by the MaMoCrypt Ransomware permanently.