New Ransomware compromises Master Boot Record (MBR) and demands 920 hryvnia($114) to unlock the system. This is completely different from the previous ransomwares.Usually, ransomware encrypts files or restricts user access to the infected system.
After analyzing the malware sample , TrendMicro researcher found that the malwares copies the original MBR and overwrites it with its own malicious code.
This prevents the victim's Operating system from loading.
Once it modifies the MBR ,it automatically restarts the system for the infection take effect. When the system restarts, the ransomware informs the victim's system is blocked and demands 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268.
Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.
After analyzing the malware sample , TrendMicro researcher found that the malwares copies the original MBR and overwrites it with its own malicious code.
This prevents the victim's Operating system from loading.
Once it modifies the MBR ,it automatically restarts the system for the infection take effect. When the system restarts, the ransomware informs the victim's system is blocked and demands 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268.
Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.
Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.
){kind=link}