Ransomware is a technique that malware writers are using to steal money from their victims by using a very simple method. Ransomware is not placing any hooks in the system, is not placing any rootkit or any other malware, it's not even stealing your data.

It’s using something more obvious, but more effective: it's the cyber-copy of the well-known blackmail. And the scary part is that it usually reaches its goal very effectively!

Ransomware is a specific malware that hold to ransom the users data, by encrypting all critical files in the PC. Users are asked to make a payment to recover the password to enable the decryption of all files.

We have seen many Ransomware’s during these years, some of them using very weak encryption algorithms, some other using very strong algorithms that cannot be actually be decrypted without the password.

Today we are seeing a new kind of Ransomware, able to hit the Master Boot Record of the hard drive. This is the first time a Ransomware takes advantage of the MBR to block users getting access to their data.

Master Boot Record has become (again) one of the critical weak points that malware can exploit to hit the system bypassing security solutions installed on the system. MBR rootkit, Whistler bootkit, TDL4 rootkit, are only a few of the infamous names of malware families which have been developed during recent years capable of attacking the MBR. Now Ransomware landed is in there as Trojan.MBRLock.

This Ransomware is being dropped on the victims PC by other infections and after it’s executed it tries to infect the MBR by opening a handle to PhysicalDrive disk device. This action is available only to users with administrative privileges, and in Windows Vista/7 it needs to pass through the User Account Control. Users with UAC enabled or limited users are protected by this threat unless they wrongly choose to allow the file administrative privileges.

If the infection occurs, the trojan copies out the original MBR to the fifth sector of the hard drive and swaps the MBR signature from 0xAA55 to 0xBEAF. It then overwrites the first three sectors of the hard drive with its own MBR loader code.

When the system is restarted, a message appears on the screen like the image here below:

the MBR code is straightforward, though effective. All the data inside the hard drive is claimed to be encrypted, though this isn't actually true. The only thing that has been overwritten is the MBR.

The password to recover the MBR must be 16 bytes long, though the user can input a shorter password - the trojan will make sure it'll be 16 bytes long by adding space characters to it at the end.

The password inserted by the user is then hashed to a 16 bit value and compared with the two bytes appended at the end of the third sector, just before the ending signature 'hjmc'. This is a very effective approach because it doesn't allow a quick way to calculate and recover the password, we would just know the hash of it.

The algorithm used to hash the password is the following: the hashing routine takes every character of the password, it is put in a 16bit register and the low byte is swapped with the high byte (i.e. char 0x61 is being read as 0x0061 and then swapped to 0x6100). The 16bit value is then XOR’d with the current hash value - at the beginning it is set to zero of course - and the hash value is left-shifted 8 times. Whether during the shift operation loop the carry flag is set, then the hash value is XOR’d with 0x1021 value. The whole loop is repeated 16 times, which is the whole password length.

This feature allows attackers to quickly change the password without touching the code. While this approach looks simple, it is quite effective because affected users are not able to get access to their systems.

Attempt by most users and technicians to fix the infection will be to run “fixmbr” to restore the MBR with a clean copy. Sadly it is not possible, because the rootkit wipes out the whole partition table section from the first sector of the hard drive - it is copied out to the fifth sector along with whole original MBR. This results in a new bugged Master Boot Record which is not able to boot the machine because it doesn't have any working partition table in it.

If users are hit by this threat, the best way to handle it would be unplugging the infected drive and plug it on another PC - this allows the user to copy back the fifth sector to the first one (remember to fix 0xBEAF signature with the original 0xAA55). Other solutions would be using a live CD with a recovery partition tool, able to rebuild whole partition table from scratch.

Ransomware are becoming more than ever a very serious threat, which can be actually defeated by regular backups of our sensitive and personal data and by using security software along with a safe internet usage. The last thing you should do, if you get hit by such kind of malware, is paying the money. Contact your local police station and your security vendor immediately, where they can support you in investigating the threat and, if possible, cracking the encryption algorithm.

Prevx is currently detecting the trojan as Trojan.MBRLock.