Security researchers from
TrendMicro, F-Secure and Dr. Web have intercepted two new ransomware
variants currently circulating in the wild. This new ransomware variant
prevents infected computers from loading Windows by replacing their
master boot record (MBR) and displays a message asking users for money.
master boot record (MBR) and displays a message asking users for money.
Cris Pantanilla, a threat response engineer at Trend Micro said, "Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code," "Right after performing this routine, it automatically restarts the system for the infection take effect."
The MBR is a piece of code that
resides in the first sectors of the hard drive and starts the boot
loader. The boot loader then loads the OS. Instead of starting the
Windows boot loader, the rogue MBR installed by the new ransomware
displays a message that asks users to deposit a sum of money into a
particular account via an online payment service called QIWI, in order
to receive an unlock code for their computers.
Both F-Secure and Dr.Web have
intercepted an identical ransomware variant. Upon execution it encrypts
all files, by adding a .EnCiPhErEd file extension. End users are given
the option to have 5 attempts to try and enter the unlock code, in
between the malware deletes itself and leaves the files encrypted.
The ransomware displays the following message to infected users:
Attention! All your files are encrypted! You are using unlicensed programms! To restore your files and access them, send code Ukrash or Paysafecard nominal value of EUR 50 to the email koeserg@gmail.com. You have 5 attempts to enter the code. If you exceed this of all data irretrievably spoiled. Be careful when you enter teh code!
Repairing the MBR is no trivial matter and usually requires booting from the Windows installation disk, getting into the recovery command console and typing special commands.Ransomware infections are typically more common throughout Eastern Europe and South America, but this type of malware is slowly gaining traction in other regions of the world as well.
No comments:
Post a Comment