Fighters Get New Free Tool

Ransomware has become a gold mine for digital criminals. In the first three months of this year, electronic extortionists squeezed US$209 million from victims desperate to recover their data after it was scrambled by the malicious software, based on FBI estimates. At that rate, ransomware could funnel as much as $1 billion into criminal coffers this year.

Ransomware typically will encrypt most of the files on a computer, but some pernicious programs are selective about what they encrypt on a machine. One such form of ransomware attacks the boot sequence of a computer.

Petya ransomware overwrites the contents of a system’s Master Boot Record, forces a system reboot, and encrypts the operating system’s Master File Table.

With ransomware that’s limited to encrypting data, it’s still possible to use an infected machine. That only makes sense, since an extortionist expects the victim to use the computer to pay the ransom and receive the key unscrambling the data on the afflicted machine.

With an attack on the MBR, however, the extortionist “bricks” the system and makes it unusable until the ransom is paid.

 

Risky Ransomware

Bricking a computer that you’re holding for ransom is a risky way to do business.

“With ransomware that encrypts the Master Boot Record, you have effectively lost the ability to use the computer,” explained Craig Williams, security outreach manager at Cisco Systems.

“That’s a little bit more risky for the attacker, because it relies on you having another way to get online and pay them,” he told TechNewsWorld, “but because the computer is unusable, you’re more likely to pay them.”

Despite the risks, there are some advantages to MBR ransomware, suggested Edmund Brumaghin, a threat researcher at Cisco and a colleague of Williams.

“One potential benefit to focusing on the MBR versus in-place encryption of files is that it can be completed quickly, regardless of the amount of user data that is stored on the system,” Brumaghin told TechNewsWorld.

“It may also be more difficult for decryptors to be made available if the boot process of the system has been manipulated or disrupted,” he continued. “Recovery may also be more difficult, as it may require a complete reinstallation of the system’s operating system, rather than just recovery of the user’s files.”

 

MBRFilter to the Rescue

To counter ransomware attacks on the Master Boot Record, Cisco Talos, the company’s threat intelligence organization, released a free program called “MBRFilter.” The program allows a user to enable the read-only default for the MBR. That prevents any program from altering the MBR.

Enabling that default can create problems from time to time, Williams acknowledged.

“Occasionally you have updates to operating systems or changes to the Linux kernel where you do need to poke at the Master Book Record and update it,” he said, “but for the vast majority of the operation of a computer, you don’t need to update it.”

Malicious software that scrambles data on systems is by far a more popular form of ransomware than programs that attack the MBR, but when you protect the MBR, you’re protecting yourself from more than just ransomware.

“The MBR is often targeted by other types of malware, such as rootkits and bootkits,” Brumaghin explained.