April 12, 2012, 12:17 PM —
A new ransomware variant prevents infected computers from loading Windows by replacing their master boot record (MBR) and displays a message asking users for money, according to security researchers from Trend Micro.
"Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code," said Cris Pantanilla, a threat response engineer at Trend Micro, in a blog post on Thursday. "Right after performing this routine, it automatically restarts the system for the infection take effect."
The MBR is a piece of code that resides in the first sectors of the hard drive and starts the boot loader. The boot loader then loads the OS.
Instead of starting the Windows boot loader, the rogue MBR installed by the new ransomware displays a message that asks users to deposit a sum of money into a particular account via an online payment service called QIWI, in order to receive an unlock code for their computers.
"This code will supposedly resume operating system to load and remove the infection," Pantanilla said. "When the unlock code is used, the MBR routine is removed."
As the name implies, ransomware applications hold something belonging to the victim in ransom until they pay a sum of money. This type of malware is considered the next step in the evolution of scareware, malicious programs that scare users into paying money.
The majority of ransomware applications disable important system functionality or encrypt documents and pictures, but this is the first ransomware program that Trend Micro researchers have seen replacing the MBR to prevent the system from starting.