Ransomware Uses Blackmail Tactic for Retrieving MBR
According to experts at Trend Micro the security company, one fresh strain of ransomware infects PCs rendering them unable to load Windows as it substitutes their MBR followed with exhibiting a message demanding cash from the owners.
The ransomware reportedly, replicates the actual MBR followed with replacing it by malevolent code of its own and immediately after that mechanically booting the system afresh when infection effectively sets in.
During rebooting, the ransomware's message warns the user of all his folders and files as gotten encrypted. That's because he's utilizing unlicensed software. But the folders/files can be restored if the user transmits a PaySafeCard or Ukash code for a small 50 Euros at the firstname.lastname@example.org id. The code can be entered with five attempts, which incase exceeds will result in total damage of the data-restoration, the message cautions.
Notably, ransomware is malware that takes an item of the victimized individual to ransom and returns it only after getting paid an amount of money demanded. Such malware is expected to lead to the subsequent stage in scareware's development (malicious software, which frightens users into making a fee payment).
The message as described tells infected end-users that their computers are currently locked and that by paying 920 UAH (hryvnia) through QIWI to one 12-digit (380682699268) purse-number they can again use their machine with an unlocking code delivered to them. This code, as claimed, seemingly will recommence the operating system towards making installations or eliminating malware. The mentioned 'unlock code' whilst used removes the MBR.
In general, ransomware destabilizes key system utilities alternatively encodes images and documents; however, the Trend Micro-discovered ransomware is unprecedented which substitutes the MBR for terminating the computer's booting ability.
Moreover, according to the Trend Micro experts, commonly, ransomware infections plague South America and Eastern Europe; however, the MBR-replacing ransomware is gradually acquiring momentum elsewhere too.
Indeed simultaneously, Dr. Web along with F-Secure lately identified one exactly same ransomware strain that once executed encoded all folders/files after adding an .EnCiPhErEd filename. With users getting five attempts for making trials of the decrypting key, the ransomware meanwhile, erased itself but kept the folders/files encrypted.
Related article: Ransomware Trojan Asks for $300 for Giving User Data Back
» SPAMfighter News - 20-04-2012