Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > Ransomware Takes MBR Hostage

    We encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection to take effect. When the system restarts, the ransomware displays the following message:

    This message prompt informs affected users that the PC is now blocked and that they should pay 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268. Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

    Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.

    Ransomware Still In The Game

    Unfortunately, we may not be seeing the end of ransomware attacks just yet. Last February, certain attackers compromised the website of the French confectionery shop Ladurée to spread the malware. Users who visited the said site when it was compromised ended up with systems infected with TROJ_RANSOM.BOV. This variant was found to display a notification that impersonates the French National Gendarmerie and demands payment from affected users. The people behind this attack have also impersonated police notifications from Italy, Germany, Belgium, and Spain.

    Though overshadowed by other more newsworthy threats, ransomware attacks are definitely not out of picture. In fact, this threat appears to be flourishing, as evidenced by the growth of ransomware infection in other parts of Europe.

    Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™ that detects and deletes all the related malware. Users can also restore the original setting of the MBR via Recovery Console. To know more about this, you may refer to our Threat Encyclopedia entry here.

    As an added precaution, users must keep their system up-to-date with the latest security patch provided by vendors and avoid clicking links contained in dubious-looking messages.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, April 12th, 2012 at 5:16 am and is filed under Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice