Ransomware stops Windows from booting by replacing its master boot record
Ransomware asks users to pay up before letting them start Windows
IDG News Service - A new ransomware variant prevents infected computers from loading Windows by replacing their master boot record (MBR) and displays a message asking users for money, according to security researchers from Trend Micro.
"Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code," said Cris Pantanilla, a threat response engineer at Trend Micro, in a blog post on Thursday. "Right after performing this routine, it automatically restarts the system for the infection take effect."
The MBR is a piece of code that resides in the first sectors of the hard drive and starts the boot loader. The boot loader then loads the OS.
Instead of starting the Windows boot loader, the rogue MBR installed by the new ransomware displays a message that asks users to deposit a sum of money into a particular account via an online payment service called QIWI, in order to receive an unlock code for their computers.
"This code will supposedly resume operating system to load and remove the infection," Pantanilla said. "When the unlock code is used, the MBR routine is removed."
As the name implies, ransomware applications hold something belonging to the victim in ransom until they pay a sum of money. This type of malware is considered the next step in the evolution of scareware, malicious programs that scare users into paying money.
The majority of ransomware applications disable important system functionality or encrypt documents and pictures, but this is the first ransomware program that Trend Micro researchers have seen replacing the MBR to prevent the system from starting.
This represents a serious escalation in ransomware techniques. While users can still run security tools to clean their systems of traditional ransomware applications and even recover some files, if Windows doesn't start at all, like in this case, the remediation procedure becomes much more difficult.
Repairing the MBR is no trivial matter and usually requires booting from the Windows installation disk, getting into the recovery command console and typing special commands.
Ransomware infections are typically more common throughout Eastern Europe and South America, but this type of malware is slowly gaining traction in other regions of the world as well. Some variants that impersonate law enforcement agencies and ask victims to pay fictitious fines have recently been detected in Western Europe.
"Though overshadowed by other more newsworthy threats, ransomware attacks are definitely not out of picture. In fact, this threat appears to be flourishing, as evidenced by the growth of ransomware infections in other parts of Europe," Pantanilla said.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts