Mango Ransomware is Based on Phobos

The Mango ransomware, a malicious program identified by our researchers, belongs to the Phobos ransomware family. Mango operates by encrypting files and demanding payment for their decryption.

Upon executing a sample of this ransomware on our test machine, it proceeded to encrypt files and modify their filenames. The original file titles were augmented with a unique ID assigned to the victim, the cybercriminal's email address, and a ".mango" extension. For instance, a file named "1.jpg" was transformed into "1.jpg.id[9ECFA84E-3316].[duckjahana@onionmail.com].mango."

Upon completing the encryption process, two ransom notes were generated. One was presented in a pop-up window titled "info.hta," and the other was a text file named "info.txt," deposited on the desktop and in all encrypted directories.

The message in the text file communicates that the files are now inaccessible as they have been encrypted, and it urges the victim to reach out to the attackers for data decryption.

The pop-up provides further details about the ransomware infection, specifying that file recovery necessitates the payment of a ransom. The amount is purportedly contingent on how promptly the victim contacts the cybercriminals, and payment is to be made in Bitcoin cryptocurrency.

Before complying with the ransom demands, the victim is granted the option to test the decryption process on three affected files, subject to certain specifications. The victim is explicitly cautioned against altering the locked files, using third-party decryption tools, or seeking assistance from third parties.

Mango Ransom Note Copies Phobos Layout

The full text of the Mango ransom note reads as follows:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: duckjahana@onionmail.com
Write this ID in the title of your message -
Or text in the messenger Telegram: @santasupp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can You Best Protect Your Data from Ransomware?

Protecting your data from ransomware involves implementing a combination of preventive measures and proactive practices. Here are some effective strategies to safeguard your data from ransomware attacks:

Regular Backups:
Perform regular and automated backups of your important data. Ensure backups are stored in a location that is not directly accessible from your main network to prevent ransomware from affecting them.

Offline Backups:
Keep offline backups in addition to online backups. This can include external hard drives or offline cloud storage. Since ransomware typically targets connected and network-accessible storage, offline backups are less vulnerable to attacks.

Update Software Regularly:
Ensure that your operating system, antivirus software, and all applications are up-to-date with the latest security patches. Regular updates help protect against known vulnerabilities that ransomware may exploit.

Employee Training:
Provide cybersecurity training for employees to recognize phishing emails, malicious attachments, and other social engineering tactics used by attackers. Awareness can prevent users from inadvertently initiating ransomware infections.

Use Robust Security Software:
Install reputable antivirus and anti-malware software on all devices. Keep these programs updated to ensure they can detect and mitigate new threats, including evolving variants of ransomware.

Network Segmentation:
Implement network segmentation to restrict lateral movement of malware within your network. This helps contain the impact of a potential ransomware infection and prevents it from spreading to critical systems.