A newly discovered strain of ransomware called Mamona has alarmed cybersecurity experts by demonstrating the ability to execute entirely offline. Unlike most modern malware, Mamona does not rely on internet connectivity or command-and-control servers. Instead, it spreads through contaminated USB drives and encrypts files using locally generated keys, making it particularly dangerous for air-gapped or isolated systems often considered secure.
The ransomware exploits Windows-based environments and begins encryption by abusing system tools like the ping command—typically harmless—making the attack harder to detect through traditional network monitoring tools. Once a USB is inserted, the malware runs quietly in the background, locking documents, media files, and other critical data before displaying ransom demands, typically in the form of a QR code or contact instructions.
Cybersecurity researchers warn that the threat could severely impact sensitive industries like defence, critical infrastructure, and manufacturing, where offline systems are common. The ransomware’s self-sufficient nature means that even machines disconnected from the internet are no longer safe from sophisticated attacks.
New risk model demands physical-digital defence strategies
Mamona’s emergence signals a fundamental shift in threat modelling. Organisations must now consider not just digital vectors but also physical media like USB drives as potential entry points for ransomware. The malware’s design takes advantage of outdated systems, patch delays, and the common assumption that offline equals secure.
Experts advise a combination of protective measures: banning unverified USB devices, deploying endpoint detection tools that don’t rely solely on network traffic, maintaining updated backups, and ensuring timely firmware and OS patches—even for isolated machines.
Security professionals are also urging enterprises to rethink endpoint access policies and educate staff about the risks associated with external media. Mamona represents a growing class of threats that operate silently, autonomously, and without needing outside contact—raising the bar for cyber resilience in even the most controlled environments.
