One day after a new version of the GpCode ransomware popped up, researchers have discovered another piece of malware that overwrites the master boot record on infected machines and demands a payment of $100 to reverse the damage.
The new MBR-infecting ransomware is known as Seftad and it has a couple of interesting traits. First, after infection, it tells victims that their hard drives have been encrypted and that any attempt to recover their files will result in data loss. However, the hard drive isn’t actually encrypted, according to an analysis of Seftad by Kaspersky Lab malware analyst Denis Maslennikov. Instead, the malware simply replaces the infected PC’s MBR with a malicious one.
Second, it appears to be possible to restore the original master boot record without actually paying the ransom to the attackers. After infection, Seftad reboots the victim’s machine and then displays an image that asks the victim to enter a password, which the user obviously doesn’t have. Entering an incorrect password three times will cause the PC to reboot a second time and display the same message again. Maslennikov’s analysis showed that using the password “aaaaaaciip” without the quotation marks will deactivate the malware and restore the original MBR.
“If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’. If you are infected by this malware do not visit the website. Use the
password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If
the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10,” Maslennikov said.
The tack taken by Seftad is a potentially scary and damaging one, going after the master boot record of an infected machine. The MBR is the first section of a hard disk to be loaded and is used to load the operating system and overwriting or damaging the MBR can be extremely difficult to reverse. MBR-infecting malware has been around for a long time and can cause serious problems for victims, but they haven’t been very widespread in recent years.