Super-Rare Ransomware Breaches Boot Record

A very rare piece of ransomware that stops machines from loading up has been spotted by security giant Trend Micro.

Typically, ransomware encrypts files or restricts user access to the infected system, but the TROJ_RANSOM.AQB variant infects the Master Boot Record (MBR) of computers. The ransomware copies the original MBR and overwrites it with its own malicious code.

A user running an infected machine would be barred from entering their operating system. Instead, when their system is booting up, they will be asked to pay money in order to get a password to unlock the computer. They are asked to pay 920 Ukranian hryvnia (£72.32).

Hidden malware?

As for how rare this kind of malicious kit is, this piece of ransomware is one of a handful that have ever been seen.

“As of now, this is the only sample I have encountered. The ransomware that we usually get just disables some Windows Utilities or encrypt files but not as deep as this one. We currently have not seen any other variant using different language,” Rik Ferguson, Trend Micro’s director of director of security research and communication, told TechWeekEurope.

“Based on our analysis, after entering the unlock code, the OS loading will resume. Rescanning the MBR and restarting the system shows that the infected MBR has been removed.”

What’s more, Trend analysis has indicated the ransomware may be doing other nasty things.

“This malware may have other component malware. Also, it is possible that a component malware may execute this infector and may cause reinfection,” Ferguson said.

This is not the first piece of MBR-infecting ransomware ever seen. Back in November 2010, Kaspersky spotted ransomware doing the same, demanding a ransom to retrieve a password and restore the original MBR.

The infamous Cutwail botnet has been one of the biggest pushers of ransomware.

How well do you know security? Test yourself with our quiz!