New Ransomware Encrypts MBR

Tuesday, July 12, 2016 @ 01:07 PM gHale


There is a new brand of ransomware that can encrypt the master boot record (MBR), researchers said.

Satana ransomware works by encrypting files employing the same methods other ransomware families use. For each encrypted file, Satana prepends the crook’s email address to each file like this: “email@domain.com____filename.extension”

RELATED STORIES
ICS Components Remain Connected to Internet
Ransomware Masked as Rockwell Update
Android Ransomware Attacks Quadruple
Email Scam Losses: $3 Billion

Satana then encrypts the MBR and replaces it with its own. The first time when a user reboots their computer, Satana’s MBR boot code will load and the computer won’t start, showing Satana’s ransom note.

It may be possible to recover the original MBR, but this won’t necessarily retrieve the rest of the encrypted files, said researcher hasherezade from Malwarebytes. Recovering MBR records via Windows’ command-line interface is something that very few people are able to properly follow through, so not even this procedure is 100 percent sure to help users regain access to their PC.

The encryption algorithm used on the rest of the files is very powerful and it is not possible to brute force it, leaving the files locked unless the user decides to pay the ransom, something hasherezade doesn’t advise.

“Even victims who pay may not get their files back if they (or the C&C) went offline when encryption happened,” she said.

The ransomware looks like a work-in-progress, as its developers are still tinkering with its code, which also contains a lot of bugs, so this might not be the last time we hear about Satana, hasherezade said.