- Mamona runs quietly, never touches the Internet and fades, which makes detection difficult
- A delay of three seconds followed by self-deletion helps Mamona to escape the detection rules
- Ransomware’s behavior goes with normal activity, delaying the security team’s response
Security researchers follow Mamona, a newly identified ransomware strain which stands out from its stripped design and its silent local execution.
Wazuh experts say that this ransomware avoids usual dependence on command and control servers, rather opting for an autonomous approach that slides the tools dependent on network traffic analysis.
It is executed locally on a Windows system as an autonomous binary file, and this offline behavior exposes a dead angle in conventional defenses, forcing a rensation of the way even the best antivirus and detection systems should operate when there is no network.
Self-deletion and escape tactics complicate detection
During the execution, he initiated a three -second delay using a modified ping command, CMD.exe / C Ping 127.0.0.7 -N 3> Del / F / Q, then Auto -Discours.
This self-support reduces forensic artifacts, making more difficult for investigators to trace or analyze malware after its execution.
Instead of using the popular 127.0.0.1, it uses 127.0.0.7, which helps it bypass the detection rules.
This method escapes simple detection models and avoids leaving digital traces that traditional scanners based on files could report.
He drops a ransom note entitled Readme.haes.txt and renamed the files assigned with the extension. Haes, signaling a successful encryption operation.
Wazuh warns that the “Nature Plug-And-Play du Malware reduces the barrier to cybercriminals, contributing to the broader commodification of ransomware”.
This change suggests a more in -depth examination of what is considered to be the best protection of ransomware, especially when such threats no longer need remote control infrastructure to cause damage.
Wazuh’s approach to detect Mamona is to integrate SYSMON for newspaper capture and to use personalized rules to report specific behavior such as the creation of ransom notes and delays based on a ping.
Rule 100901 targets the creation of the Readme.haes.txt file, while the 100902 rule confirms the presence of ransomware when the ransom note activity and the delay / self-delete sequence appear together.
These rules help identify the indicators that could otherwise escape the more general monitoring configurations.
To respond to Mamona before the end of damage, Wazuh uses Yara rules and a system for monitoring the integrity of files in real time (FIM).
When a suspicious file is added or modified, especially in the user downloads folder, the Wazuh active response module triggers a Yara analysis.
This immediate correction imitates what could be expected of the best DDOS protection strategies, acting quickly before deeper compromises occur.
While ransomware continues to evolve, the best antivirus solutions must also, and although no tool guarantees perfect protection, solutions with a modular response gives defenders a flexible and scalable edge.
