- Mamona executes quietly, never touches the internet, and erases itself, making it hard to detect
- A three-second delay followed by self-deletion helps Mamona evade detection rules
- Ransomware behavior blends in with normal activity, delaying security team response
Security researchers are tracking Mamona, a newly identified ransomware strain that stands out for its stripped-down design and quiet, local execution.
Experts from Wazuh say this ransomware avoids the usual reliance on command-and-control servers, opting instead for a self-contained approach that slips past tools dependent on network traffic analysis.
It is executed locally on a Windows system as a standalone binary file, and this offline behavior exposes a blind spot in conventional defenses, forcing a rethink of how even the best antivirus and detection systems should function when there is no network.
Self-deletion and evasion tactics complicate detection
Upon execution, it initiates a three-second delay using a modified ping command, cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q, and then self-deletes.
This self-deletion reduces forensic artifacts, making it harder for investigators to trace or analyze the malware after it has run.
Instead of using the popular 127.0.0.1, it uses 127.0.0.7, which helps it to bypass detection rules.
This method evades simple detection patterns and avoids leaving digital traces that traditional file-based scanners might flag.
It drops a ransom note titled README.HAes.txt and renames affected files with the .HAes extension, signaling a successful encryption operation.
Wazuh warns that the malware’s “plug-and-play nature lowers the barrier for cybercriminals, contributing to the broader commoditization of ransomware.”
This shift suggests a need for greater scrutiny of what qualifies as the best ransomware protection, especially when such threats no longer need remote control infrastructure to cause damage.
Wazuh’s approach to detecting Mamona involves integrating Sysmon for log capture and using custom rules to flag specific behaviors such as ransom note creation and ping-based delays.
Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.
These rules help identify indicators that might otherwise escape more general monitoring setups.
To respond to Mamona before damage is done, Wazuh uses YARA rules and a real-time File Integrity Monitoring (FIM) system.
When a suspicious file is added or modified, especially in a user's Downloads folder, the Wazuh Active Response module triggers a YARA scan.
This immediate remediation mimics what one might expect from the best DDoS protection strategies, acting fast before deeper compromise occurs.
As ransomware continues to evolve, so too must the best antivirus solutions, and while no single tool guarantees perfect protection, solutions with modular response give defenders a flexible, evolving edge.
You might also like
- These are the best VPNs with antivirus you can use right now
- Take a look at our pick of the best internet security suites
- You wouldn’t skip handwashing - so why skip mobile security hygiene?
English (US) ·