Mamona ransomware is a simple “commodity” ransomware strain that works completely offline, lowering the bar for entry for less sophisticated attackers, threat intelligence analyst Mauro Eldritch reported in an analysis of the strain published on the ANY.RUN blog Tuesday.In contrast to ransomware-as-a-service (RaaS) schemes, where the ransomware developer works with affiliates and takes a cut of the profits, commodity ransomware operators simply sell the ransomware builder without any further contract.In the case of Mamona, attackers don’t even need to set up command-and-control (C2) infrastructure, as the ransomware works completely offline, encrypting files using a “homemade” routine that does not rely on standard cryptographic libraries or APIs.“Instead, all cryptographic logic is implemented internally using low-level memory manipulation and arithmetic operations,” Eldritch explained.Mamona is a relatively new ransomware strain that was previously used by affiliates of the BlackLock ransomware group before it was dismantled and reportedly taken over by the DragonForce gang. One of Mamona’s builders was also leaked on the clear web, further increasing its availability to low-level cybercriminals.As mentioned, Mamona does not make any connections to outside servers, making it a “mute” ransomware that operates locally and may be more difficult to detect. Upon infection, Mamona pings the loopback IP addresses 127.0.0.7 for a time delay before self-deleting its own executable using the del /f /q command to limit forensic analysis.The malware performs some reconnaissance, collecting data such as system name and configured language, and drops the ransom note “README.HAes.txt” in multiple folders, which threatens data exposure if the ransom is not paid. Despite this, the ransomware does not make any online connection, and no data is exfiltrated from the victim’s machine.Instead, files are encrypted using the simplistic custom method and renamed with the .HAes extension, becoming inaccessible to the victim. The ransom note includes links to a dark web blog and chat portal to contact the threat actor.A sample of a Mamona decryptor obtained by Eldritch from another malware researcher known as Merlax revealed a visually clunky but functional tool that returned the files to their original state. A deeper analysis of the decryptor further confirmed the use of a homemade symmetrical encryption routine without traditional XOR operation.Eldritch warned that, although Mamona uses a relatively weak encryption method and lacks data exfiltration capabilities, its “silent” movement and ease-of-use for low-skill cybercriminals poses a risk to both individuals and organizations.“This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying,” Eldritch wrote.Closely monitoring local activity and using dynamic analysis methods like sandboxing to better understand and investigate threats like Mamona can help security teams stay ahead of emerging “commodity” strains, Eldritch concluded.