![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[FREE EBOOKS] Offensive Security Using Python, Learn Computer Forensics — 2nd edition & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-xl.jpg)
![New iPad 11 (A16) On Sale for Just $277.78! [Lowest Price Ever]](https://www.iclarified.com/images/news/97273/97273/97273-640.jpg)
![Apple Foldable iPhone to Feature New Display Tech, 19% Thinner Panel [Rumor]](https://www.iclarified.com/images/news/97271/97271/97271-640.jpg)
New Mamona Ransomware Attack Windows Machines by Abusing Ping Commands
A new ransomware strain dubbed “Mamona” that operates entirely offline and leverages a clever attack strategy that abuses the Windows ping command. Unlike traditional ransomware that communicates with remote servers, Mamona works completely offline, making it particularly difficult to detect with conventional network monitoring tools. “This strain highlights a rising trend: ransomware that trades complexity […] The post New Mamona Ransomware Attack Windows Machines by Abusing Ping Commands appeared first on Cyber Security News.
A new ransomware strain dubbed “Mamona” that operates entirely offline and leverages a clever attack strategy that abuses the Windows ping command.
Unlike traditional ransomware that communicates with remote servers, Mamona works completely offline, making it particularly difficult to detect with conventional network monitoring tools.
“This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying,” Mauro Eldritch noted.
What makes Mamona unique is its “mute” operation – it performs all activities locally, with no observed Command and Control channels or data exfiltration.
The ransomware employs a distinctive delay mechanism by pinging the unusual loopback address 127.0.0.7 rather than the standard 127.0.0.1, likely to evade simple detection rules
This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying.
Mamona Ransomware’s Encryption& Obfuscation
Upon infection, Mamona executes a series of carefully designed steps. First, it uses the ping command as a crude timing mechanism, followed immediately by a self-deletion command to limit forensic analysis.
Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del /f /q,” explained researcher Mauro Eldritch.
It performs reconnaissance by collecting basic system information such as the computer name and configured language.
Files are encrypted using a homemade cryptographic routine rather than standard libraries, with all encryption logic implemented through low-level memory manipulation and arithmetic operations.
Try ANY.RUN’s Interactive Sandbox For Interactive Malware Analysis
Encrypted files receive the “.HAes” extension (e.g., “document.pdf” becomes “document.pdf.HAes”), and a ransom note titled “README.HAes.txt” is dropped in multiple directories.
Files are encrypted using a custom, homemade encryption routine rather than standard cryptographic libraries, and are renamed with the .HAes extension.
The ransomware changes the desktop wallpaper to display “Your files have been encrypted!”.
Despite threatening to leak stolen data in its ransom note, analysis confirms Mamona performs no actual data exfiltration. “There’s literally no network activity, so this seems to be a threat to coerce the victim into paying the ransom,” security experts concluded.
Mamona has been linked to campaigns previously run by BlackLock ransomware affiliates, who are also connected to another strain called Embargo. The ransomware gained additional notoriety when the DragonForce group reportedly took over operations after BlackLock was dismantled in March 2025.
While Mamona uses relatively weak encryption methods, its offline operation and ease-of-use for low-skill cybercriminals pose significant risks to both individuals and organizations.
The ransomware particularly threatens small and medium-sized businesses without sophisticated security monitoring.
Fortunately, security researchers have identified and tested a working decryption tool. “Despite the decrypter featuring an outdated interface, it effectively restores encrypted files,” researchers confirmed.
The emergence of Mamona reinforces a concerning trend in the ransomware landscape – the shift toward easily accessible, builder-based ransomware that prioritizes simplicity over sophistication, lowering the barrier to entry for less technical cybercriminals.
Integrate ANY.RUN Solutions in Your Company – Get a Free Trial
The post New Mamona Ransomware Attack Windows Machines by Abusing Ping Commands appeared first on Cyber Security News.
