The cybersecurity landscape is once again witnessing the fallout of poor operational security (OPSEC) among ransomware operators. In the latest turn of events, Mamona, a ransomware group rebranded from BlackLock (also known as El Dorado), has suffered a significant blow as its Data Leak Site (DLS) was defaced by DragonForce, a rival threat actor.
Here is a screenshot taken from Ransomfeed.it, which however has been deleted from the platform as it is not a ransomware claim, but a collateral OPSEC operation between criminal gangs.
How it happened: OPSEC blunders exposed Mamona
The chain of events leading to Mamona’s downfall began when cybersecurity researchers discovered the group’s clearweb IP address. This critical piece of information inadvertently exposed their admin and affiliate panels, revealing insights into their ransomware builder. The consequences of this slip were severe, as it provided an open invitation for malicious actors to strike.
Mamona’s ransomware builder, accessible at 185.158.113[.]114:5000/affiliate/builder, was found to be a powerful toolkit allowing cybercriminals to generate ransomware variants targeting Windows, ESXi, and Linux/NAS environments. The builder included features such as:
- Encryption level control
- Self-delete and log wiping functionalities
- Process and service termination capabilities
With such a powerful arsenal readily available, the exposure of this builder posed a significant risk not only to Mamona but also to its affiliates and victims.
DragonForce’s swift retaliation
Once the clearweb IP and its vulnerabilities became public knowledge, it was only a matter of time before a retaliatory attack occurred. DragonForce, a known rival in the cybercriminal ecosystem, wasted no time in exploiting the exposed infrastructure. The defacement of Mamona’s DLS was not just an opportunistic attack but a calculated move aimed at humiliating the group and disrupting its operations.
This incident highlights a common trend in the ransomware landscape: adversaries are not just law enforcement or security researchers but also competing threat actors. Ransomware groups often engage in cyber warfare against each other, exploiting weaknesses to discredit rivals and seize control of their criminal markets.
Backlash from the cybercrime community
Following the attack, discussions on RAMP (Ransomware Marketplace Platform) revealed widespread criticism of Mamona’s security lapses. Even among cybercriminals, maintaining strong OPSEC is paramount, and Mamona’s failure has put its affiliates and operations at serious risk.
RAMP users expressed frustration, highlighting the potential legal and operational consequences for those affiliated with Mamona. A ransomware group that cannot secure its own infrastructure does little to inspire confidence among its criminal peers.
Lessons from Mamona’s mistakes
Mamona’s downfall serves as a cautionary tale for cybercriminals and cybersecurity professionals alike. Key takeaways from this incident include:
- The Importance of OPSEC: exposing a clearweb IP is a cardinal sin in cybercrime. Threat actors must maintain rigorous security protocols to avoid detection and infiltration.
- Threat Actors Exploit Weaknesses – Even Among Themselves: rival groups actively seek out vulnerabilities in competing ransomware gangs. A single mistake can lead to devastating consequences.
- Affiliates Demand Security: in the Ransomware-as-a-Service (RaaS) model, trust is crucial. A group that fails to secure its infrastructure risks losing credibility and affiliates.
- Law Enforcement Can Leverage These Mistakes: while DragonForce took the first strike, security researchers and law enforcement agencies may also capitalize on this incident to track down Mamona’s operators and disrupt their activities further.
What’s next for Mamona?
With their DLS defaced and their builder publicly exposed, Mamona faces an uncertain future. The damage to their reputation among affiliates and the broader cybercriminal ecosystem could prove irreversible. It remains to be seen whether the group will attempt to recover, rebrand yet again, or fade into obscurity.
For cybersecurity professionals, this incident underscores the importance of continuous monitoring and intelligence gathering in the fight against ransomware. While cybercriminals battle among themselves, researchers and law enforcement can leverage these internal conflicts to dismantle their operations.
As the cybersecurity community continues to track developments, one thing is certain: Mamona’s missteps have provided a rare glimpse into the vulnerabilities within ransomware organizations—and a valuable opportunity to strike back.