Mamona Ransomware (RAAS) – Offline Commodity Ransomware with Custom Encryption
Summary
A newly identified strain of commodity ransomware named Mamona has emerged in the cybercriminal underground. This threat diverges from typical ransomware-as-a-service (RaaS) models by functioning entirely offline, relying on custom-built cryptographic routines and deploying no external command-and-control (C2) infrastructure. First spotted in association with BlackLock affiliates—who have connections to the Embargo group—Mamona’s builder was leaked publicly, exposing its capabilities to broader threat actors.
Attack Type: Ransomware
Target: All Windows systems
Event Timelines
| Date | Event |
| 18-03-2025 | Builder tool leaked on clearnet |
| 06-05-2025 | Public technical analysis conducted (via ANY.RUN sandbox) |
| 12-05-2025 | Thread posted on hackforums.net |
Ransomware Detail
Recently a new Mamona ransomware strain designed to operate entirely offline, distinguishing it from more conventional ransomware threats that rely on network-based command-and-control (C2) infrastructure. Unlike Ransomware-as-a-Service (RaaS) operations that involve structured agreements between developers and affiliates, Mamona is distributed through builder kits, allowing virtually any threat actor to deploy it independently.
Key technical behaviors include:
- Custom encryption logic with no reliance on Windows CryptoAPI or external libraries (e.g., OpenSSL).
- No C2 communications — Mamona does not attempt to exfiltrate data or retrieve encryption keys.
- Obfuscated delay technique — uses ping 127.0.0.7 as a crude sleep timer.
- Self-deletion routine to erase executable traces via cmd.exe Del /f /q.
- File encryption — Files are renamed with a .HAes extension.
- Ransom note deployment — README.HAes.txt dropped recursively across directories.
- Decryption tool available — a working decryptor has been publicly tested and confirmed to restore encrypted files.
Impact
Exploitation and execution of Mamona ransomware may result in:
- Data Encryption and Loss : Encrypts all user-accessible files with the .HAes extension, resulting in immediate data inaccessibility without reliable backups.
- System Modification and Persistence: Alters system settings (e.g., wallpaper), drops ransom notes across directories, and initiates self-deletion, complicating recovery and forensic analysis.
- Workflow Disruption: Without proper segmentation or automated response, infected environments may experience extended downtime and delayed recovery.
- Business Continuity Impact: Disrupts access to critical documents, configurations, and shared drives, halting essential operations.
Mitigation
- Ensure regular offline backups of critical data.
- Apply strict endpoint detection rules to identify ping-based delays and self-deletion sequences.
- Monitor for usage of leaked builders and suspicious configurations associated with the BlackLock and Embargo groups.
- Educate users about ransomware threats, common infection vectors, and safe execution practices
- Implement network segmentation to limit the spread of ransomware.
MITRE ATT&CK Mapping
| Category | MITRE ATT&CK Technique | Description |
| Discovery | T1012 – Query Registry | Mamona queries the Windows registry to identify system configurations (e.g., language, hostname). |
| T1082 – System Information Discovery | Harvests basic host details like system name, architecture, and environment. | |
| Execution | T1059.003 – Command and Scripting Interpreter: Windows Command Shell | Uses cmd.exe to invoke ping 127.0.0.7 for delay and Del /f /q to delete the ransomware binary. |
| Defense Evasion | T1070.004 – Indicator Removal on Host: File Deletion | Mamona uses a separate shell process to delete itself after launching, erasing on-disk evidence. |
| T1027 – Obfuscated Files or Information | Uses 127.0.0.7 instead of the common 127.0.0.1 as an anti-detection evasion technique. | |
| Impact | T1486 – Data Encrypted for Impact | Encrypts files with a custom routine; adds the .HAes extension. |
| T1491.001 – Defacement: Internal Defacement | Alters system wallpaper to intimidate the victim with encryption warnings. |
Indicators of Compromise (IOCs)
| Type | Value |
| SHA256 Hashes | c5f49c0f566a114b529138fbd222865c9fa9fa95f96ec1ded50700764a1d4e7 |
| SHA256 Hashes | b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77 |
| File Extension | .HAes |
| Dropped Files | README.HAes.txt |
Snowbit Response
Snowbit has proactively implemented enhanced detection and protection measures against Mamona ransomware. These measures are integrated into our ransomware file enrichment, and an alert system is in place to detect encryption activity. This addresses the threat posed by Mamona ransomware.
References
Mamona Ransomware Public Builder Found