A new ransomware strain dubbed “Mamona” that operates entirely offline and leverages a clever attack strategy that abuses the Windows ping command. Encrypted files receive the “.HAes” extension (e.g., “document.pdf” becomes “document.pdf.HAes”), and a ransom note titled “README.HAes.txt” is dropped in multiple directories. What makes Mamona unique is its “mute” operation – it performs all activities locally, with no observed Command and Control channels or data exfiltration. The ransomware changes the desktop wallpaper to display “Your files have been encrypted!”. Unlike traditional ransomware that communicates with remote servers, Mamona works completely offline, making it particularly difficult to detect with conventional network monitoring tools. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying,” Mauro Eldritch noted. “There’s literally no network activity, so this seems to be a threat to coerce the victim into paying the ransom,” security experts concluded. “This strain highlights a rising trend: ransomware that trades complexity for accessibility. The emergence of Mamona reinforces a concerning trend in the ransomware landscape – the shift toward easily accessible, builder-based ransomware that prioritizes simplicity over sophistication, lowering the barrier to entry for less technical cybercriminals. Files are encrypted using a homemade cryptographic routine rather than standard libraries, with all encryption logic implemented through low-level memory manipulation and arithmetic operations. “Despite the decrypter featuring an outdated interface, it effectively restores encrypted files,” researchers confirmed. Files are encrypted using a custom, homemade encryption routine rather than standard cryptographic libraries, and are renamed with the .HAes extension. Mamona has been linked to campaigns previously run by BlackLock ransomware affiliates, who are also connected to another strain called Embargo. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying. Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del /f /q,” explained researcher Mauro Eldritch. Despite threatening to leak stolen data in its ransom note, analysis confirms Mamona performs no actual data exfiltration. While Mamona uses relatively weak encryption methods, its offline operation and ease-of-use for low-skill cybercriminals pose significant risks to both individuals and organizations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This strain highlights a rising trend: ransomware that trades complexity for accessibility. The ransomware particularly threatens small and medium-sized businesses without sophisticated security monitoring. The ransomware gained additional notoriety when the DragonForce group reportedly took over operations after BlackLock was dismantled in March 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 09 May 2025 16:10:21 +0000