Breed of MBR Infecting Ransomware – an analysis by Quick Heal Security Labs

Credit to Author: Preksha Saxena| Date: Wed, 16 May 2018 11:27:25 +0000

Estimated reading time: 6 minutesRansomware is becoming one of the most perilous cyberattack methods and also the most habitual techniques for cybercriminals to earn money. It appears to have new weapons in its arsenal over time which is invariably aimed to boost its strength and enhance its business. As encrypting the files and restricting the user access is not enough, ransomware also infects the master boot record and prevent the operating system from loading. As the operating system is not loaded, none of the ransomware tool or antivirus work for these type of ransomware. Even though this technique is also seen last year (in case of PETYA ransomware), this year there has been an exponential increase in MBR infection by ransomware. MBR infection extends the scope for deep infection and controls the infected computers, which make the attack more severe. Ransomware copies the original MBR and overwrites it with its own malicious code. After that, it automatically restarts the system for the infection to take place. When the system restarts, the user is locked out and the ransomware displays its note and asks for a ransom. Master Boot Record Master Boot Record (MBR) is a small program that executes every time the computer boots, even before operating system loads. It is used for start-up process and has information of bootable partition. The MBR resides on the first sector of the hard disk. OS Booting Sequence Fig 1. OS booting Process BIOS tries to read the first physical sector i.e. MBR from the boot device. If no MBR is found, an error message is displayed. Since the MBR executes every time a computer is started, an MBR infection can be extremely dangerous. Recently, Quick Heal Security Labs analyzed various ransomware as well as MBR infections. This additional infection feature grasps attention which is trending in almost all the upcoming ransomware. We will discuss few of the recent ransomware. Annabelle ransomware Annabelle ransomware goes a step ahead in infection and comes up with the whole shooting match to vandalize a computer. It takes your computer hostage and does everything to ruin the system. It encrypts all files on a computer and appends the .annabelle extension to the encrypted files, it attempts to disable the firewall, terminates the list of processes including security programs, spreads via connected USB drives and ultimately, overwrites the MBR with its own code. It destroys every hard disk connected to the system. It adds its entry in the registry to automatically execute when a user logs into Windows. In fig 2, we see a pseudo-code of the malware which calls CreateFileA for taking the physical drive handle and write 0x800 bytes on each physical drive. Also, it does not take backup of clean MBR. Fig 2. Calling CreatFileA for taking handle to write on physical drive After infecting the hard disk, RtlSetProcessIsCritical is called – this function sets your process to a system critical status. As a result, the termination of this process will result in a termination of Windows as well. Calling RtlSetProcessIsCritical (1, 0, 0) will set the process as critical. Fig 3. Calling RtlSetProcessIsCritical It finally calls shutdown.exe with parameter -r -f -t 0 to restart the system, -r is used for complete shutdown and restart of the system and -t to force running applications to close without forewarning user. After system restart, the malware file gets executed and a ransom note is displayed as shown in fig 4. This is the first image after infection. The ransom asked is 0.1 Bitcoin. The malware also sets the countdown timer for paying ransom within that time. Fig 4. Ransomware 1st image after reboot If the user does not pay the ransom within the time limit displayed on the screen set by the malware, the screen is changed as shown in fig 5 and the user is locked out. The malware finally replaces the MBR and makes the system unfit for use. Fig 5. Ransomware 2nd image after reboot Its pure intention is to destroy the system completely if the user refuses to pay the ransom. Initially, it seems that it is just a ransomware which encrypts files although at a later phase, its behavior clarifies that it wants to…

Leave a Reply