And Now, an MBR Ransomware

[leofelix]

And Now, an MBR Ransomware

Posted by;Denis
Kaspersky Lab Expert
Posted November 29, 22:47 GMT

Today my colleague Vitaly Kamluk wrote about a new GpCode-like ransomware which encrypts user’s files with RSA-1024 and AES-256 crypto-algorithms. We’re continuing to investigate this malware and will notify you about our findings.

However, GpCode.ax is not the only piece of ransomware we found today. We’ve just discovered a malware which overwrites the master boot record (MBR) and demands a ransom to retrieve a password and restore the original MBR. This malware is detected as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a.

This ransomware is downloaded by Trojan.Win32.Oficla.cw.....

Read more

[Ceyfer √]

Threat level 2

Summary

• Malware: Trojan-Ransom.Win32.Gpcode.ax
• Status: low risk
• Threat: Kaspersky Lab warns users about the emergence online of a new version of the Gpcode ransomware program.
• Source: The program spreads via malicious websites and P2P networks.

[Boyfriend]

Thanks leofelix and ceyfer I am keeping myself updated via reading their article/forum since yesterday evening. For MBR Ransomware, they have decoded the password of both samples to unlock machines. For Gpcode sample, they are working hard to decode its algorithm and find a way to get encrypted files of end users.

[JayCub]

Thank you for the update guys, it's this sort of scum ware that gets my back up they should do jail time for this with some big hairy biker in a small cell, as BoyFriend mentioned it is important to be aware of what is out there...

[safeguy]

Question: Does MBRGuard and any other software that protects the MBR like Light Virtualization software prevent the ransomware even when it's launched with admin rights? What about ISR? I assume so it will but has there been cases for any particular ones that were 'bypassed'? Just curious...