New MBRFilter Tool Blocks Attacks by Ransomware

According to Check Point, ransomware operators are carrying out ever-more dangerous threats, but, Cisco Talos Labs' security researchers have found one method for fighting back.

Like never before, Check Point reports, one ransomware sample is on the company's Top Three Global Malware counts, and that is Locky ransomware that contributed 6% to the total assaults detected worldwide in September.

To shave off ransomware programs, Cisco Talos recently issued MBRFilter a filter driver for Windows disk which checks for programs attempting at rewriting MBR (Master Boot Record) so that it can block such programs. Consequently, the kind of ransomware programs is blocked from getting planted as also encrypting MBR.

When Petya was discovered in April, F-Secure the security company was first to issue a warning. Ransomware programs generally just encrypt files, but there's one separate tactic that Petya uses, operating more as any rootkit. It modifies an infected computer's MBR that compels rebooting of the system. When rebooted, Petya locks the Master File Table by encrypting it. A Master File Table exists inside the hard drive of a computer.

The above encryption procedure happens faster compared to the regular file-by-file handling of other ransomware programs. Petya leaves hardly any time for realizing a problem exists let alone the time to get help. Darkreading.com posted this, October 20, 2016.

The new filter MBRFilter performed excellently in stopping all ransomware attacks and leaving the MBR unaffected. In trial, the filter planted a combo installer of Petya+Mischa followed with clicking on No during an UAC prompt. Thus, Mischa was planted that effectively encrypted the PC's data-files.

But MBRFilter hasn't been designed for thwarting the Mischa kinds of ransomware. However, if any ransomware installer attempts at overwriting MBR but doesn't succeed then it plants file-encrypting ransom software for the purpose.

And though MBRFilter won't come in aid of organizations in eradicating Locky, it contains other functions beyond ransomware that are widely played.

MBRFilter works as an ordinary disk filter that uses the classpnp and diskperf e.g drivers of Microsoft. However, it should be used after thoroughly testing it in production situations as it has been purposely designed hard for removing.

» SPAMfighter News - 10/26/2016