ANY.RUN Shares Technical Analysis of Mamona, a New Offline Ransomware Strain
DUBAI, DUBAI, UNITED ARAB EMIRATES, May 8, 2025 /EINPresswire.com/ -- ANY.RUN, a trusted provider of cybersecurity solutions, has published a new malware analysis uncovering Mamona, a new commodity ransomware strain that operates entirely offline. The research, conducted by guest contributor Mauro Eldritch, offensive security expert and threat intelligence analyst, reveals how Mamona uses fake extortion tactics, custom encryption, and local execution to evade detection while still encrypting victims' files.
饾悓饾悮饾惁饾惃饾惂饾悮 饾悜饾悮饾惂饾惉饾惃饾惁饾惏饾悮饾惈饾悶 饾惏饾悽饾惌饾悺 饾悞饾悽饾惀饾悶饾惂饾惌 饾悡饾悮饾悳饾惌饾悽饾悳饾惉
Mamona is part of a growing trend in commodity ransomware; malware created with builder kits and distributed without structured affiliate programs. Recently spotted in campaigns linked to the BlackLock group and loosely connected to Embargo, Mamona skips network communication altogether, relying on local execution to encrypt files and pressure victims.
饾悎饾惂-饾悆饾悶饾惄饾惌饾悺 饾悁饾惂饾悮饾惀饾惒饾惉饾悽饾惉 饾惃饾悷 饾悓饾悮饾惁饾惃饾惂饾悮
Key findings of Mamona technical analysis include:
路 饾棙饾椇饾棽饾椏饾棿饾椂饾椈饾棿 饾榿饾椀饾椏饾棽饾棶饾榿: Mamona is a newly identified commodity ransomware strain.
路 饾棥饾椉 饾棽饾槄饾榿饾棽饾椏饾椈饾棶饾椆 饾棸饾椉饾椇饾椇饾槀饾椈饾椂饾棸饾棶饾榿饾椂饾椉饾椈: The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration.
路 饾棢饾椉饾棸饾棶饾椆 饾棽饾椈饾棸饾椏饾槅饾椊饾榿饾椂饾椉饾椈 饾椉饾椈饾椆饾槅: All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries.
路 饾棦饾棷饾棾饾槀饾榾饾棸饾棶饾榿饾棽饾棻 饾棻饾棽饾椆饾棶饾槅 饾榿饾棽饾棸饾椀饾椈饾椂饾椌饾槀饾棽: A ping to 127[.]0.0[.]7 is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces.
路 饾棛饾棶饾椆饾榾饾棽 饾棽饾槄饾榿饾椉饾椏饾榿饾椂饾椉饾椈 饾棸饾椆饾棶饾椂饾椇饾榾: The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration.
路 饾棛饾椂饾椆饾棽 饾棽饾椈饾棸饾椏饾槅饾椊饾榿饾椂饾椉饾椈 饾棷饾棽饾椀饾棶饾槂饾椂饾椉饾椏: User files are encrypted and renamed with the .HAes extension; ransom notes are dropped in multiple directories.
路 饾棗饾棽饾棸饾椏饾槅饾椊饾榿饾椂饾椉饾椈 饾棶饾槂饾棶饾椂饾椆饾棶饾棷饾椆饾棽: A working decryption tool was identified and successfully tested, enabling file recovery.
路 饾棛饾槀饾椈饾棸饾榿饾椂饾椉饾椈饾棶饾椆, 饾棻饾棽饾榾饾椊饾椂饾榿饾棽 饾椊饾椉饾椉饾椏 饾棻饾棽饾榾饾椂饾棿饾椈: The decrypter features an outdated interface but effectively restores encrypted files.
To explore the full technical breakdown and see how Mamona behaves inside interactive sandboxes, visit the ANY.RUN blog.
饾悁饾悰饾惃饾惍饾惌 饾悁饾悕饾悩.饾悜饾悢饾悕
ANY.RUN offers a comprehensive suite of cybersecurity products, including an interactive sandbox and a Threat Intelligence portal. Trusted by over 500,000 professionals globally, the sandbox provides an efficient and user-friendly service for analyzing malware targeting Windows, Linux and Android systems. Additionally, ANY.RUN's Threat Intelligence services, Lookup, Feeds, and YARA Search, enable users to gather critical information about threats and respond to incidents with better speed and accuracy.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X
Distribution channels: Banking, Finance & Investment Industry, Companies, IT Industry, International Organizations, Technology
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
Submit your press release