A sophisticated new ransomware strain known as “Mamona” is rapidly spreading across Windows machines. Because it operates entirely offline and uses the Windows ping command as an integrated timing tool, it is significantly more difficult to detect with conventional network monitors than other malware.
Developed as a commodity ransomware, Mamona operates quietly on the victim’s computer without the use of command-and-control (C2) channels or data exfiltration.
Mamona’s ready-made extortion toolkit makes sophisticated attacks accessible to almost any cybercriminal, broadening the threat landscape. Its ease of deployment and low entry barrier reflect a shift in the balance between complexity and accessibility in favour of “plug-and-play” malware.
This is because independent operators access the Mamona code without formal Ransomware-as-a-Service agreements. Security teams face a difficult and covert task because its “mute” technique ensures all destructive activities remain local.
Its most distinctive feature is a delay technique in which Mamona pings the unusual loopback address 127.0.0.7, rather than using standard sleep calls. This bypasses simple detection rules by remaining within the 127.0.0.0/8 range but avoiding the commonly monitored 127.0.0.1.
Once the short delay completes, Mamona spawns a separate cmd.exe shell to delete its own binary via Del /f /q “path\to\mamona.exe”. Eliminating forensic traces and making the investigation more difficult is possible by executing the deletion in a child process, which gets around the limitation that a running process cannot erase itself.
The malware gathers fundamental system data, like the machine name and configured location, to conduct reconnaissance. To further show its commitment to obfuscation and anti-analysis, it creates a custom cryptographic algorithm to encrypt data. Rather than using standard libraries, this algorithm relies entirely on low-level memory manipulation and arithmetic operations.
Mamona ransomware lowers the barrier for aspiring cybercriminals by prioritising accessibility over complexity. Its combination of a simple delay mechanism, self-deletion routine, and local encryption makes it both easy to deploy and resilient against basic security measures.
Mamona’s “Ransomware-as-a-Builder” Model and Why SMBs Are at Risk
Gathering the host’s name and language settings is the first step in Mamona’s reconnaissance phase. To increase the probability that the victim would notice it, it then drops a ransom file (README.HAes.txt) into each subfolder and onto the desktop.
After placing the message, Mamona locks down user files by encrypting them and adding a.HAes extension. It changes the background with the stern warning, “Your files have been encrypted!” to highlight the significance of the message.
The ransom message contains links to a Tor-hosted leak site (DLS) and a victim support chat. The document claims, “We have stolen a significant amount of your important files” while warning, “Refuse to pay: your stolen data will be published publicly.”
Mamona has rapidly emerged as a significant threat in the evolving ransomware landscape. Analysts link the pattern back to the same group responsible for the Embargo strain, former BlackLock affiliates.
After law enforcement dismantled BlackLock in March 2025, the DragonForce group took over its infrastructure, rebranding and improving operations under the Mamona banner. This transition highlights how quickly threat actors adapt and regroup.
Small and medium-sized businesses (SMBs) are particularly vulnerable to Mamona’s builder-based model. Mamona provides an easy-to-use toolkit compared to complex ransomware that requires advanced expertise.
This “ransomware-as-a-builder” approach lowers the barrier to entry, enabling less technical cybercriminals to launch malicious attacks. Many SMBs lack continuous security monitoring or endpoint behavioural analysis, leaving them vulnerable to covert attacks.
Security experts advise a multi-layered approach to protect against Mamona and related strains. Improve endpoint behaviour analytics to detect disruptions in real time rather than depending simply on signature updates.
Make sure backups of important data are disconnected from your network as part of a strong offline backup plan to ensure quick recovery. Workshops on ransomware awareness and phishing simulators may lower the human risk factor.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
