Skip to main content

Operator dossier

hddcryptor (also tracked as Mamba) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 2 public victims claimed by this operator between November 25, 2016 and May 7, 2020. HDDCryptor is an obscure ransomware variant that emerged in November 2016, primarily motivated by financial gain through targeted encryption attacks. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available about their operational structure or ties to other cybercriminal organizations. Based on available incident data, HDDCryptor appears to have conducted targeted attacks with a specific focus on transportation systems infrastructure within the United States, though their exact initial access vectors and technical methodologies have not been extensively documented by major security research firms. The group's operational footprint appears minimal, with only one publicly documented victim case, suggesting either highly selective targeting or limited operational scope compared to more prolific ransomware families. Current intelligence indicates HDDCryptor has remained largely inactive or dormant since its initial observation period, with no significant campaigns or law enforcement actions publicly reported against the operators.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

hddcryptor

aka Mamba · 2 victims indexed · first seen 10 years ago · last activity 6 years ago

2
Victims indexed
#300 of 364 tracked operators
3y 6m
Active period
Nov 2016 → May 2020
1
Countries hit
top United States · 2

At a glance

Status
inactive
Aliases
Mamba
First seen
10 years ago
Last activity
6 years ago
Primary sector
Transportation Systems · 1 hits

About

HDDCryptor is an obscure ransomware variant that emerged in November 2016, primarily motivated by financial gain through targeted encryption attacks. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available about their operational structure or ties to other cybercriminal organizations. Based on available incident data, HDDCryptor appears to have conducted targeted attacks with a specific focus on transportation systems infrastructure within the United States, though their exact initial access vectors and technical methodologies have not been extensively documented by major security research firms. The group's operational footprint appears minimal, with only one publicly documented victim case, suggesting either highly selective targeting or limited operational scope compared to more prolific ransomware families. Current intelligence indicates HDDCryptor has remained largely inactive or dormant since its initial observation period, with no significant campaigns or law enforcement actions publicly reported against the operators.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

2 months
2016-11-01T00:00:00+00:00 · 12020-05-01T00:00:00+00:00 · 1
2016-11-01T00:00:00+00:002020-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
2

Top sectors

Transportation Systems
1
Healthcare and Public Health
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

Recent victims

Loading…

Source

Updated 6 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time hddcryptor posts a victim.

Add hddcryptor to your watchlist — Pro pings you within 5 minutes of any new hddcryptor leak-site post, Telegram callout, or affiliate-rebrand inference.