ANY.RUN Shares Technical Analysis of Mamona, a New Offline Ransomware Strain

DUBAI, DUBAI, UNITED ARAB EMIRATES, May 8, 2025 /EINPresswire.com/ -- ANY.RUN, a trusted provider of cybersecurity solutions, has published a new malware analysis uncovering Mamona, a new commodity ransomware strain that operates entirely offline. The research, conducted by guest contributor Mauro Eldritch, offensive security expert and threat intelligence analyst, reveals how Mamona uses fake extortion tactics, custom encryption, and local execution to evade detection while still encrypting victims' files.

𝐌𝐚𝐦𝐨𝐧𝐚 𝐑𝐚𝐧𝐬𝐨𝐦𝐰𝐚𝐫𝐞 𝐰𝐢𝐭𝐡 𝐒𝐢𝐥𝐞𝐧𝐭 𝐓𝐚𝐜𝐭𝐢𝐜𝐬

Mamona is part of a growing trend in commodity ransomware; malware created with builder kits and distributed without structured affiliate programs. Recently spotted in campaigns linked to the BlackLock group and loosely connected to Embargo, Mamona skips network communication altogether, relying on local execution to encrypt files and pressure victims.

𝐈𝐧-𝐃𝐞𝐩𝐭𝐡 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐨𝐟 𝐌𝐚𝐦𝐨𝐧𝐚

Key findings of Mamona technical analysis include:

· 𝗘𝗺𝗲𝗿𝗴𝗶𝗻𝗴 𝘁𝗵𝗿𝗲𝗮𝘁: Mamona is a newly identified commodity ransomware strain.

· 𝗡𝗼 𝗲𝘅𝘁𝗲𝗿𝗻𝗮𝗹 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻: The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration.

· 𝗟𝗼𝗰𝗮𝗹 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗼𝗻𝗹𝘆: All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries.

· 𝗢𝗯𝗳𝘂𝘀𝗰𝗮𝘁𝗲𝗱 𝗱𝗲𝗹𝗮𝘆 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲: A ping to 127[.]0.0[.]7 is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces.

· 𝗙𝗮𝗹𝘀𝗲 𝗲𝘅𝘁𝗼𝗿𝘁𝗶𝗼𝗻 𝗰𝗹𝗮𝗶𝗺𝘀: The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration.

· 𝗙𝗶𝗹𝗲 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿: User files are encrypted and renamed with the .HAes extension; ransom notes are dropped in multiple directories.

· 𝗗𝗲𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲: A working decryption tool was identified and successfully tested, enabling file recovery.

· 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹, 𝗱𝗲𝘀𝗽𝗶𝘁𝗲 𝗽𝗼𝗼𝗿 𝗱𝗲𝘀𝗶𝗴𝗻: The decrypter features an outdated interface but effectively restores encrypted files.

To explore the full technical breakdown and see how Mamona behaves inside interactive sandboxes, visit the ANY.RUN blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN offers a comprehensive suite of cybersecurity products, including an interactive sandbox and a Threat Intelligence portal. Trusted by over 500,000 professionals globally, the sandbox provides an efficient and user-friendly service for analyzing malware targeting Windows, Linux and Android systems. Additionally, ANY.RUN's Threat Intelligence services, Lookup, Feeds, and YARA Search, enable users to gather critical information about threats and respond to incidents with better speed and accuracy.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.