Starbuck Posted December 2, 2010 Posted December 2, 2010 Security researchers have identified a new piece of ransomware which installs itself into the master boot record (MBR) and prevents the computer from booting into the operating system. Ransomware is a term referring to programs that block access to critical system functionality or important documents and ask for money to restore it. This aggressive model is considered the next step in the evolution of scareware. Ransomware programs appeared at the beginning of 2009, but they predominantly targeted Russian or Brazilian users. Newer variants affect users everywhere. One particularly concerning application was reported last week. Upon installation, it encrypts a wide range of audio, video, image and doc files, in a variety of formats. The attackers leave a text file behind on the computer, through which they ask for $120 in order to send the decryption key and restore the files. However, a piece of ransomware was just discovered by security researchers from Kaspersky Lab. It is detected as Trojan-Ransom.Win32.Seftad.a and is dropped on the system by a recent version of the Oficla trojan downloader. Upon execution, Seftad.a overwrites the master boot record with rogue code and forces the computer to reboot. The new MBR prevents the operating sytem from starting back up and displays a message which reads: "Your PC is blocked. All the hard drives were encrypted. Browse http://www.[CENSORED].ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!! "Please remember your ID: ##### [where # is a digit], with its help your sign-on password will be generated. Enter password: _" The website mentioned in the message asks users for $100 to be sent via Paysafecard or Ukash, but paying this money is not necessary. Fortunately, data on the hard drives is not actually encrypted and can be accessed again by bypassing the prompt and restoring the MBR. The Kaspersky researchers note that a password of ‘aaaaaaciip’ should work to boot back into the system, but if it doesn't, they recommend downloading and using the free Kaspersky Rescue Disk 10. Source: New Ransomware Installs Itself in the Master Boot Record - Softpedia Quote Member of:UNITE
RandyL Posted December 2, 2010 Posted December 2, 2010 Damn. Nice post. Keeping up to date is easier with you posting. Just did a cleanup on a Limewire infested computer but that was easy. So much worse going on these days. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Starbuck Posted December 2, 2010 Author Posted December 2, 2010 Keeping up to date is easier with you posting I have to check for new malware articles on a regular basis so that i can keep up any new variants, so it's easy to add anything here that i think may be of help to the members. Just did a cleanup on a Limewire infested computer but that was easy. So much worse going on these days. True, the bad guys are getting more clever in evading our tools. It's a good job that some of our guys are just that bit cleverer than them. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.