{"id":13267,"date":"2025-05-06T11:59:46","date_gmt":"2025-05-06T11:59:46","guid":{"rendered":"\/cybersecurity-blog\/?p=13267"},"modified":"2025-05-12T14:02:49","modified_gmt":"2025-05-12T14:02:49","slug":"mamona-ransomware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/","title":{"rendered":"Mamona: Technical Analysis of a New Ransomware Strain"},"content":{"rendered":"\n<p><em>Editor\u2019s note:<\/em><strong><em>&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;<\/em><\/strong><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Mauro on X<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>&nbsp;<\/p>\n\n\n\n<p>These days, it&#8217;s easy to come across new <a href=\"https:\/\/any.run\/malware-trends\/ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">ransomware strains<\/a> without much effort. But the ransomware threat landscape is far broader than it seems, especially when you dive into the&nbsp;commodity ransomware&nbsp;scene. This type of ransomware is developed by a group that sells a builder to third-party operators, with no formal agreement or contract between them, unlike the more organized&nbsp;Ransomware-as-a-Service (RaaS)&nbsp;model.&nbsp;<\/p>\n\n\n\n<p>On this side of the fence, we see countless new products appearing on the cybercrime shelf every day. They&#8217;re much harder to track, as victims, strains, infrastructure, and builds often have no direct connection to each other.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s take a look at one of them:&nbsp;Mamona Ransomware. Never heard of it? That\u2019s probably because it\u2019s a new strain but despite its short lifespan, it has already made some noise. It\u2019s been spotted in campaigns run by&nbsp;BlackLock affiliates (who are also linked to&nbsp;Embargo), one of its online builders was exposed and later leaked on the clearnet, and the&nbsp;DragonForce group&nbsp;even stole the main website\u2019s&nbsp;.env&nbsp;file, publishing it on their Dedicated Leak Site on Tor under the headline:&nbsp;<em>\u201cIs this your .env file?\u201d<\/em>&nbsp;<\/p>\n\n\n\n<p>So, let\u2019s find out what this is all about.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"542\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-1024x542.png\" alt=\"\" class=\"wp-image-13269\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-1024x542.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-768x406.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-1536x813.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-2048x1084.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-740x392.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Mamona Ransomware in action<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Mamona Ransomware: Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Emerging threat:<\/strong>&nbsp;Mamona is a newly identified commodity ransomware strain.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No external communication:<\/strong>&nbsp;The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Local encryption only:<\/strong>&nbsp;All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Obfuscated delay technique:<\/strong>&nbsp;A ping to&nbsp;127[.]0.0[.]7&nbsp;is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>False extortion claims:<\/strong>&nbsp;The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File encryption behavior:<\/strong>&nbsp;User files are encrypted and renamed with the&nbsp;.HAes&nbsp;extension; ransom notes are dropped in multiple directories.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Decryption available:<\/strong>&nbsp;A working decryption tool was identified and successfully tested, enabling file recovery.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Functional, despite poor design:<\/strong>&nbsp;The decrypter features an outdated interface but effectively restores encrypted files.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This emerging ransomware can be clearly observed within <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mamona_analysis&amp;utm_term=060525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s cloud-based sandbox environment<\/a>. You can explore a full analysis session below for a detailed visual breakdown.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/cdcc75cd-d1f0-4fae-8924-d1aa44525e7e\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with Mamona ransomware<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Offline and Dangerous: Mamona\u2019s Silent Tactics&nbsp;<\/h2>\n\n\n\n<p>When you hear about ransomware, your first educated guess is usually a threat that comes from the outside, exfiltrates sensitive files, encrypts the local versions, and then demands a ransom. Pretty much the full ransomware cycle. But this one is different. It has no network communication at all, acting surprisingly as a\u00a0<strong>mute ransomware<\/strong>. So far, the only connections it attempts are local, plus one to port 80 (HTTP), where no data is actually sent or received.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"367\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-1024x367.png\" alt=\"\" class=\"wp-image-13281\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-1024x367.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-300x108.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-768x275.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-1536x551.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-2048x734.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-370x133.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-270x97.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-2-740x265.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A connection to port 80 is attempted, but not established&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This lack of network communication strongly suggests that the encryption key is either generated locally on the fly or hardcoded within the binary itself. In the medium term, this increases the chances of reverse-engineering a working decrypter which, fortunately, we already have in this case.&nbsp;<\/p>\n\n\n\n<p>A closer look reveals that the encryptor relies entirely on homemade routines. There are no calls to standard cryptographic libraries, no use of the Windows CryptoAPI, and no references to external modules like OpenSSL. Instead, all cryptographic logic is implemented internally using low-level memory manipulation and arithmetic operations.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSpeed up and simplify analysis of malware and phishing threats with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=mamona_analysis&#038;utm_term=060525&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>One key routine is located at internal offsets such as&nbsp;0x40E100. This function is repeatedly called after pushing registers and buffer pointers to the stack and exhibits patterns typical of custom symmetric logic.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"298\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1024x298.png\" alt=\"\" class=\"wp-image-13273\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1024x298.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-300x87.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-768x224.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1536x447.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-370x108.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-270x79.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-740x215.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3.png 1680w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Custom encryption logic with no standard crypto<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The symmetric structure reinforces the hypothesis of a static or trivially derived key, making Mamona a strong example of commodity ransomware that prioritises simplicity over cryptographic robustness.&nbsp;<\/p>\n\n\n\n<p>Still, just because this malware doesn\u2019t communicate with external hosts doesn\u2019t mean it can\u2019t cause serious local damage. Let\u2019s take a closer look.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Mamona Executes Its Attack&nbsp;<\/h2>\n\n\n\n<p>The first thing Mamona does is execute a ping command as a crude time delay mechanism, chaining it with a self-deletion routine via cmd.exe.&nbsp;<\/p>\n\n\n\n<p>The use of ping 127[.]0.0[.]7 is a classic trick in commodity malware: instead of using built-in sleep APIs or timers (which can be flagged by behavioural monitoring), the malware sends ping requests to a loopback IP address, effectively pausing execution. &nbsp;<\/p>\n\n\n\n<p>Interestingly, it uses&nbsp;127[.]0.0[.]7&nbsp;instead of the more common&nbsp;127[.]0.0[.]1, likely as a basic form of obfuscation. It\u2019s still within the reserved localhost block (127[.]0.0[.]0\/8) but may bypass simple detection rules that specifically target&nbsp;127[.]0.0[.]1.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-1024x535.png\" alt=\"\" class=\"wp-image-13283\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-1024x535.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-1536x803.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-2048x1070.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-1-740x387.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A crude yet useful delay mechanism<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del \/f \/q. Since a process can\u2019t delete itself while it\u2019s still running, this whole sequence is executed in a separate shell process. This is a simple but effective form of self-cleanup, aimed at reducing forensic traces post-infection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"627\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-1024x627.png\" alt=\"\" class=\"wp-image-13285\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-1024x627.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-1536x941.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-2048x1255.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-2-740x453.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Even if the mechanism isn\u2019t simple, ANY.RUN understands the hidden intention and flags the behavior<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Mamona begins with a straightforward reconnaissance phase, harvesting basic host data like the system\u2019s name and configured language. It then proceeds to drop a ransom note (README.HAes.txt) not only on the Desktop, but recursively inside multiple folders, increasing the chances the victim will see it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"628\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-1024x628.png\" alt=\"\" class=\"wp-image-13287\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-1024x628.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-1536x942.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-2048x1255.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-1-740x454.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Recon routine and ransom note dropping<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Following the ransom note deployment, Mamona begins encrypting user files, renaming them with the .HAes extension and making them inaccessible. To reinforce the impact, it changes the system wallpaper to a stark warning: \u201cYour files have been encrypted!\u201d&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"620\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-1024x620.png\" alt=\"\" class=\"wp-image-13290\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-1024x620.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-768x465.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-1536x930.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-2048x1240.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-1-740x448.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Files receive a new extension<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The ransom note shares links to a dedicated leak site (DLS) and a victim\u2019s chat support, both on Tor. Also, it states that \u201cwe have stolen a significant amount of your important files from your network\u201d and \u201cRefuse to pay: your stolen data will be published publicly\u201d but that actually does not happen, as we discussed earlier. There\u2019s literally no network activity so this seems to be a threat to coerce the victim into paying the ransom.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1024x553.png\" alt=\"\" class=\"wp-image-13292\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1536x829.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-2048x1105.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-740x399.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>\u201cMamona, R.I.P!\u201d. Ransom note, with a couple of lies<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>But we have an ace up our sleeve. For this engagement, alongside the malware sample, we&nbsp;also managed to obtain a decrypter thanks to <a href=\"https:\/\/x.com\/Merlax_\/status\/1902480932319457481\" target=\"_blank\" rel=\"noreferrer noopener\">Merlax,<\/a> a friend and fellow malware researcher. Let\u2019s take a look at how it works.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Undoing Mamona&#8217;s Damage&nbsp;<\/h2>\n\n\n\n<p>We\u2019re dealing with a Ctrl-Z in .exe form, so let\u2019s give it a chance and see how it performs. Visually, it\u2019s a mess: the interface looks like a homemade project built with an older version of Visual Studio. UI elements are poorly rendered, often misaligned or clipping outside window boundaries.&nbsp;&nbsp;<\/p>\n\n\n\n<p>But the backend does its job far better than the frontend, and the files are back to normal.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-1024x552.png\" alt=\"\" class=\"wp-image-13294\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-1024x552.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-1536x828.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-2048x1104.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/9-740x399.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Files on the desktop went back to normal<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By analysing the decrypter, we find an interesting internal function at offset 0x40C270. Much like in the ransomware sample, we observe a series of low-level operations: alignment to 4-byte boundaries (and $0xfffffffc, %ecx), fixed memory offsets (add $0x23), and repeated use of instructions such as mov, lea, and arithmetic operations,&nbsp;all indicative of a custom-built symmetric routine.&nbsp;<\/p>\n\n\n\n<p>Despite the absence of a traditional <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">XOR operation<\/a>, the logic appears reversible and consistent with homemade encryption mechanisms.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"335\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-1024x335.png\" alt=\"\" class=\"wp-image-13297\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-1024x335.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-768x252.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-1536x503.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-370x121.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10-740x242.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/10.png 1664w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Disassembly of the decrypter around offset 0x40C270<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We have already infected our test machine and vaccinated it, and we are ready for the next stop on our journey: the ATT&amp;CK Matrix. As usual, ANY.RUN takes care of that automagically.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Mapping the Threat: Mamona via MITRE ATT&amp;CK&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK integration<\/a> makes it easy to understand and track malware behaviour by profiling its events, tactics, and techniques.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-1024x544.png\" alt=\"\" class=\"wp-image-13299\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-1024x544.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-768x408.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-1536x816.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-2048x1087.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/11-740x393.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Mamona\u2019s ATT&amp;CK Matrix on ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s take a look at how Mamona\u2019s behaviour fits into this framework:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Discovery: T1012:<\/strong> <strong>Query Registry + T1082: System Information Discovery<\/strong>. The reconnaissance routine where the malware queries different local registries like hostname and language.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Execution: T1059.003:<\/strong> <strong>Command and Scripting Interpreter<\/strong>. Since Mamona spawns CMD to invoke ping as a cheap delay mechanism and then moves on to its self-deletion.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Defense Evasion: T1070.004:<\/strong> <strong>Indicator Removal.<\/strong> The self deletion routine attached to the previous ping command.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Impact: T1486: Data Encrypted for Impact.<\/strong> The encryption process where all our files end up having the \u201c.HAes\u201d extension.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This sums up Mamona\u2019s behavior, which deviates from the usual pattern seen in commodity ransomware. It shows no network activity, no Command and Control channels over Telegram, Discord, or similar platforms. Instead, it relies on a weak, locally executed key generation routine and doesn\u2019t include any form of double extortion, making its threats of data theft and publication purely coercive.&nbsp;<\/p>\n\n\n\n<p>What it does have is a retro-styled decrypter that, despite its clunky and outdated interface, simply works.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mamona Threat Impact&nbsp;<\/h2>\n\n\n\n<p>The Mamona ransomware campaign presents significant risks despite its offline, minimalistic design:&nbsp;<\/p>\n\n\n\n<p><strong>For end users:<\/strong>&nbsp;Victims face immediate file encryption, system disruption, and psychological pressure through false claims of data theft. The ransom note\u2019s threatening tone adds urgency, even though there\u2019s no actual data exfiltration.&nbsp;<\/p>\n\n\n\n<p><strong>For organizations:<\/strong>&nbsp;Mamona can interrupt workflows, encrypt shared drives, and complicate incident response, especially in environments lacking offline backups or real-time monitoring. Its simplicity also makes it harder to detect through conventional network-based defenses.&nbsp;<\/p>\n\n\n\n<p><strong>For security teams:<\/strong>&nbsp;The absence of C2 traffic and use of locally executed logic reduce visibility in traditional detection systems. Its use of basic commands like&nbsp;ping&nbsp;and&nbsp;cmd.exe&nbsp;mimics legitimate activity, requiring deeper behavioral analysis to flag accurately.&nbsp;<\/p>\n\n\n\n<p><strong>For the broader threat landscape:<\/strong>&nbsp;Mamona exemplifies the rise of easy-to-use, builder-based ransomware that favors simplicity over sophistication. Its leaked builder lowers the entry barrier for attackers, raising concerns about wider adoption by low-skilled threat actors.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The analysis of Mamona Ransomware shows how even a quiet, offline threat can cause disruptions. &nbsp;<\/p>\n\n\n\n<p>This strain highlights a rising trend: ransomware that trades complexity for accessibility. It&#8217;s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying. Its leaked builder and low barrier to entry only raise the risk of widespread abuse by less sophisticated attackers.&nbsp;<\/p>\n\n\n\n<p>By analyzing Mamona in real time using <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mamona_analysis&amp;utm_term=060525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, we were able to capture the full attack chain, from initial execution and system changes to ransom note deployment and encryption logic, all without needing external network traces.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how this type of dynamic analysis helps defenders stay ahead:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect threats faster:<\/strong>&nbsp;Spot unusual behavior, even in offline-only attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>See everything in motion:<\/strong>&nbsp;Monitor local activity, file operations, and persistence techniques as they happen.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Speed up investigations:<\/strong>&nbsp;Gather and interpret IOCs without jumping from one tool to another.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Respond more effectively:<\/strong>&nbsp;Share artifacts and tactics across security teams.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Experience real-time visibility with ANY.RUN and catch threats others might miss.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mamona_analysis&amp;utm_term=060525&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Try ANY.RUN\u2019s Interactive Sandbox today<\/strong><\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;<\/h2>\n\n\n\n<p>SHA256:b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77&nbsp;<\/p>\n\n\n\n<p>SHA256:c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7&nbsp;<\/p>\n\n\n\n<p>Ext:.HAes&nbsp;<\/p>\n\n\n\n<p>File:README.HAes.txt&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/bazaar.abuse.ch\/sample\/c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7\">https:\/\/bazaar.abuse.ch\/sample\/c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/bazaar.abuse.ch\/sample\/b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77\">https:\/\/bazaar.abuse.ch\/sample\/b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/cdcc75cd-d1f0-4fae-8924-d1aa44525e7e\">https:\/\/app.any.run\/tasks\/cdcc75cd-d1f0-4fae-8924-d1aa44525e7e<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;find Mauro on X.&nbsp; These days, it&#8217;s easy to come across new ransomware strains without much effort. But the ransomware threat landscape is far broader than it seems, especially when you dive into the&nbsp;commodity ransomware&nbsp;scene. This type of [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":13311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-13267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mamona: Technical Analysis of a New Ransomware Strain - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover detailed breakdown of Mamona, a new ransomware strain with advanced encryption capabilities operated by BlackLock affiliates.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Mamona: Technical Analysis of a New Ransomware Strain\",\"datePublished\":\"2025-05-06T11:59:46+00:00\",\"dateModified\":\"2025-05-12T14:02:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\"},\"wordCount\":2135,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\",\"name\":\"Mamona: Technical Analysis of a New Ransomware Strain - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-05-06T11:59:46+00:00\",\"dateModified\":\"2025-05-12T14:02:49+00:00\",\"description\":\"Discover detailed breakdown of Mamona, a new ransomware strain with advanced encryption capabilities operated by BlackLock affiliates.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Mamona: Technical Analysis of a New Ransomware Strain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mamona: Technical Analysis of a New Ransomware Strain - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover detailed breakdown of Mamona, a new ransomware strain with advanced encryption capabilities operated by BlackLock affiliates.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"Mamona: Technical Analysis of a New Ransomware Strain","datePublished":"2025-05-06T11:59:46+00:00","dateModified":"2025-05-12T14:02:49+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/"},"wordCount":2135,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/","name":"Mamona: Technical Analysis of a New Ransomware Strain - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-05-06T11:59:46+00:00","dateModified":"2025-05-12T14:02:49+00:00","description":"Discover detailed breakdown of Mamona, a new ransomware strain with advanced encryption capabilities operated by BlackLock affiliates.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Mamona: Technical Analysis of a New Ransomware Strain"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13267"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13267"}],"version-history":[{"count":29,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13267\/revisions"}],"predecessor-version":[{"id":13367,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13267\/revisions\/13367"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13311"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}