Trend Micro researchers recently uncovered a new ransomware variant that infects a Windows PC's master boot record and stops the operating system from loading.
"The Trend Micro blog reports that the malware, which has been detected as TROJ_RANSOM.AQB, overwrites the computer's master boot record (MBR) with malicious code, and then automatically restarts the system so the infection can activate," writes Midsize Insider's Megan Mostyn-Brown. "Instead of their usual start page, users are woefully treated to a message prompt that tells them to pay money in order to receive a code to unlock their computer."
"The payment is to be remitted via QIWI, without which the user remains stuck at the prompt with no ability to load Windows," writes FierceCIO's Paul Mah. "QIWI is one of the most popular payment systems in Russia."
"If victims pay up, the criminals send them a code to unlock their computers," The H Security reports. "Users can, however, save themselves 920 hryvnia by following the experts' instructions for removing the infection. This essentially consists of running the recovery console from the Windows Installation DVD and restoring the original MBR using the fixmbr command."
"This represents a serious escalation in ransomware techniques," writes Computerworld's Lucian Constantin. "While users can still run security tools to clean their systems of traditional ransomware applications and even recover some files, if Windows doesn't start at all, like in this case, the remediation procedure becomes much more difficult. Repairing the MBR is no trivial matter and usually requires booting from the Windows installation disk, getting into the recovery command console and typing special commands."