New Ransomware Installs Itself in the Master Boot Record

[tipo]

Security researchers have identified a new piece of ransomware which installs itself into the master boot record (MBR) and prevents the computer from booting into the operating system.

Ransomware is a term referring to programs that block access to critical system functionality or important documents and ask for money to restore it. This aggressive model is considered the next step in the evolution of scareware.

Ransomware programs appeared at the beginning of 2009, but they predominantly targeted Russian or Brazilian users. Newer variants affect users everywhere.

One particularly concerning application was reported last week. Upon installation, it encrypts a wide range of audio, video, image and doc files, in a variety of formats.

The attackers leave a text file behind on the computer, through which they ask for $120 in order to send the decryption key and restore the files.

However, a piece of ransomware was just discovered by security researchers from Kaspersky Lab. It is detected as Trojan-Ransom.Win32.Seftad.a and is dropped on the system by a recent version of the Oficla trojan downloader.

Upon execution, Seftad.a overwrites the master boot record with rogue code and forces the computer to reboot. The new MBR prevents the operating sytem from starting back up and displays a message which reads:

"Your PC is blocked. All the hard drives were encrypted. Browse www.[CENSORED].ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!!

"Please remember your ID: ##### [where # is a digit], with its help your sign-on password will be generated. Enter password: _"

The website mentioned in the message asks users for $100 to be sent via Paysafecard or Ukash, but paying this money is not necessary.

Fortunately, data on the hard drives is not actually encrypted and can be accessed again by bypassing the prompt and restoring the MBR.

The Kaspersky researchers note that a password of ‘aaaaaaciip’ should work to boot back into the system, but if it doesn't, they recommend downloading and using the free Kaspersky Rescue Disk 10.

link

[HX1]

I wanted to let you know that posting this article allowed me to help a member on deviantart.com, help here husband save his system... He had the third version of this infection which did not answer to the passwords, and had also attacked the Partition Table... By following the link here.. using the Video posted in the comments on the page.. and using Hiren's BootCD... They were able to fully recover the system...

:thumbsup:

[tipo]

glad to help! thanks for the feedback!