Wazuh has issued new detection rules to address Mamona, a ransomware variant targeting Windows users that deletes itself soon after encrypting files and deploying ransom notes.
The Mamona strain is known for its ability to quickly encrypt files, leave a ransom message, and erase its presence within seconds, complicating detection and post-infection analysis. Unlike more elaborate ransomware-as-a-service models, Mamona uses a lightweight approach that increases the potential for damage while limiting opportunities for recovery, according to details released by the Wazuh threat intelligence team.
Attack lifecycle
According to Wazuh, upon execution on a target system, Mamona first searches for files to encrypt, applying the “.HAes” file extension to affected data. Once encryption is complete, it places a ransom note named “README.HAes.txt” in compromised directories, providing payment and contact instructions for the victim. The ransomware then initiates a command that delays activity for three seconds before triggering a self-deletion process, effectively removing traces of the executable from the system.
Mamona does not employ advanced methods to evade detection by security software. However, the rapid series of actions it performs can allow the ransomware to finish its tasks before standard endpoint protection solutions are able to intervene. This presents a risk to organisations that have not implemented dedicated monitoring or detection strategies for such threats.
Links to cybercrime groups
The ransomware’s use has been connected to affiliates of the BlackLock group, which has since ceased operations, with reports attributing more recent Mamona campaigns to a group calling itself DragonForce. The simplified nature of Mamona, Wazuh states, distinguishes it from ransomware distributed as a commercial service, as it operates entirely offline using its own encryption routine.
Detection measures introduced
Wazuh’s approach to detecting and mitigating Mamona revolves around a collection of monitoring and alerting mechanisms that operate at multiple levels of the system.
“Wazuh uses a combination of file integrity monitoring, log-based detection, and custom rules to detect Mamona’s activity at multiple stages. Specifically, the platform can: Malware Signature Detection: Identifies the Mamona executable through rules and hash-based matching that work seamlessly with intelligence platforms like YARA or VirusTotal. File Integrity Monitoring (FIM): Detects when a file is modified or created, then scans it with YARA to check for known malicious signatures. Command Monitoring: Uses Sysmon to flag suspicious command-line activity using custom detection rules, including the ping-based delay and self-deletion sequence. Dashboard Alerts: Surfaces relevant events in the Wazuh dashboard for immediate investigation and response.”
This capability includes signature-based detection methods, monitoring changes to files via File Integrity Monitoring (FIM), and actively flagging unusual command-line behaviour, which encompasses Mamona’s characteristic ping-delay and self-removal commands.
Wazuh explained that with its open architecture, detection rules and monitoring settings can be modified and expanded by users to accommodate the latest threat intelligence or organisation-specific risk profiles. The Mamona detection updates are available now for users of the Wazuh security platform.
Ransomware landscape
Mamona joins a list of ransomware families known for prioritising destructive activity over complex techniques, relying on the ability to cause significant disruption in a short timespan. Wazuh emphasised the importance of a flexible defence strategy, facilitated by the open source nature of its security platform, enabling organisations to rapidly adapt rules and integrate indicators of compromise as new threats emerge.
While Mamona does not incorporate intricate evasion features, Wazuh’s analysis highlighted that its speed can outpace conventional security responses, reinforcing the need for real-time monitoring and multi-layered detection across endpoints to limit potential damage.
