A new cyber threat is on the horizon — one that operates without an internet connection. Security researchers have identified Mamona ransomware, a stealthy malware that executes offline, encrypts files using locally generated keys, and erases its tracks, making detection extremely difficult.
Unlike traditional ransomware that relies on remote command-and-control servers, Mamona functions entirely offline by abusing the Windows ping command.
“Mamona generates encryption keys locally, making it effective even in air-gapped or isolated systems, challenging the belief that offline environments are inherently secure,” said Neehar Pathare, MD of 63SATS Cybertech. “This approach allows attackers to bypass standard network surveillance systems, making detection difficult.”
Cybersecurity expert Shubham Singh said, “Everything Mamona needs to lock your files is built into the malware itself. Once executed, it begins encrypting data autonomously, without needing to contact any server or hacker.”
How does Mamona spread?
According to Singh, Mamona spreads through physical media like Universal Serial Bus (USB) drives or external hard disks. Infection occurs when a user unknowingly plugs in a compromised device, triggering the ransomware.
“It often uses hidden files, autorun scripts, or obfuscation to bypass antivirus software. Even air-gapped systems are at risk because Mamona leverages human interaction with physical devices to gain entry,” Singh explained.
Pathare said, “The stealthy nature of such threats makes it essential for organisations to enforce strict device policies, maintain consistent offline backups, and train users in managing physical media responsibly. Hardware-based allow-listing and strong endpoint monitoring are also critical in defending isolated systems.”
Story continues below this ad
Once the ransomware is activated, it generates encryption keys locally and displays a ransom note on the screen or as a file, instructing the victim to use another device – a smartphone or another computer – to contact the attacker. “In some cases, the ransom demand may include scanning a QR code or sending an email for further instructions,” said Singh.
Why Mamona is hard to detect
- Lack of internet connectivity prevents traditional security tools from monitoring or blocking the threat in real time.
- Offline systems often run outdated software, making them more vulnerable.
- Users may not immediately recognise signs of an attack, delaying response.
- USB ports are frequently unsecured, providing an easy entry point.
- Once executed, the malware is hard to isolate and remove.
How to stay safe
Singh suggested a few practical steps to stay safe from Mamona and similar threats.
Avoid unknown USBs: Never plug in drives from unverified or unfamiliar sources.
Use offline-capable antivirus tools: Ensure your endpoint protection can detect threats without relying on cloud-based systems
Story continues below this ad
Keep all software updated: Even disconnected systems should receive regular firmware and patch updates.
Back up data securely: Store backups in offline or read-only formats to allow recovery after an attack.
Watch for warning signs: Renamed files, inaccessible documents, or strange messages may indicate ransomware.
Train all users: Ensure that staff are aware of the risks of physical media and know how to report suspicious activity.
The Safe Side:
As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.