Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Ransomware Infects Master Boot Record, Trend Micro Finds

Researchers at Trend Micro have uncovered a piece of ransomware targeting the master boot record to take control of a system.

The move is a step beyond typical pieces of ransomware, which usually encrypt files or restricts user access to the infected system. In this case however, the malware copies the original MBR and overwrites it with its own malicious code.

Researchers at Trend Micro have uncovered a piece of ransomware targeting the master boot record to take control of a system.

The move is a step beyond typical pieces of ransomware, which usually encrypt files or restricts user access to the infected system. In this case however, the malware copies the original MBR and overwrites it with its own malicious code.

“Right after performing this routine, it automatically restarts the system for the infection take effect,” Cris Pantanilla, a threat response engineer at Trend Micro, wrote in a blog post.

When the system restarts, the users are greeted with a message (below) telling them their PC is now blocked and that they should pay 920 hryvnia (UAH) via the QIWI payment service to a purse number. Once that is done, the attacker promises to hand over a code to unlock the system, Pantanilla added.

Trend Micro told SecurityWeek Thursday that they have only seen one case of this particular piece of malware so far. The company did not have additional information about how the machine was infected. However in the last 30 days, the company has observed nearly 9,000 ransomware threats, the company said.

Ransomware Infects MBR

In February, French users were targeting in an attack when a legitimate website was compromised and made to serve up phony notifications from the country’s National Gendarmerie police force that infected users. In January, Japanese users were targeted with ransomware as part of a one-click billing fraud scheme focused on Android phones.

According to Trend Micro, as of March 8, the United States was home to the largest percentage of the ransomware infections, and five of the top eight countries for infections were in Europe.

“Unfortunately, we may not be seeing the end of ransomware attacks just yet,” Pantanilla explained.

“Though overshadowed by other more newsworthy threats, ransomware attacks are definitely not out of picture,” he continued. “In fact, this threat appears to be flourishing, as evidenced by the growth of ransomware infection in other parts of Europe…As an added precaution, users must keep their system up-to-date with the latest security patch provided by vendors and avoid clicking links contained in dubious-looking messages.”

Related Reading: Researchers Report Massive Increase in Boot Time Malware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.