In September 2016, a researcher from the company Morphus Labs found an application-extortionist Mamba. Typically, extortionists encrypt files with certain extensions or in specified folders, but Mamba does not trivialize and encrypts the entire contents of the hard drive. Also, changes are made after which the computer stops loading the operating system.

The authors of the extortionist again took up the matter and aimed at large organizations. Analysts from the Kaspersky Lab write that the latest attacks were conducted against targets in Brazil and Saudi Arabia. Mamba uses open source programs like DiskCryptor to encrypt the disk.

After installation, the system reboots.

Changes are made to the master boot record (MBR), disk partitions are encrypted with a password. When the process is completed, the reboot is restarted. Instead of loading the operating system, a note appears asking for redemption.

While there are no methods to decrypt encrypted Mamba disks for free. The reason is a strong encryption algorithm. Users should be cautious about downloading files and links on the Internet. Files before running can be checked in the service Virus Total.