Home Malware Programs Ransomware MBRlock Ransomware

MBRlock Ransomware

Posted: February 9, 2018

The MBRlock Ransomware is a Trojan that locks the PC's screen by hijacking the startup routine. The MBRlock Ransomware demands a password for allowing Windows to restart. The cybercrooks often employ similar circumstances for demanding ransoms, but the current version of the MBRlock Ransomware appears to be in a demonstration phase or be intended for an ill-favored prank. Having your anti-malware products detect and delete the MBRlock Ransomware on sight is necessary for keeping it from subverting your control over the Windows UI.

Rebooting Straight into an ASCII Art Trouble

Although they're a minority relative to file-locking ones, Trojans that prefer blocking screens instead of media also appear now and again. Similar to the AMBA Ransomware or the Russian BrLock Ransomware, the MBRlock Ransomware is a Chinese Trojan that subverts the system's essential boot-up routine and blocks you out of using the computer indefinitely. Although its threat actor's motivations are unknown, some versions of the MBRlock Ransomware may be an 'educational' project or a prank, but others include ransom-paying demands.

The MBRlock Ransomware only runs in Windows. Once the user launches it, the MBRlock Ransomware drops a secondary executable in the Windows 'temp' directory and runs it, which forces Windows to shut down immediately. However, since the MBRlock Ransomware hijacks the master boot record (or MBR) immediately, Windows doesn't restart. Instead, the screen displays the MBRlock Ransomware's ASCII text-based screen, which includes an ASCII skull, a Chinese phrase translating into 'I am a student,' and a prompt for a password. Additionally, some, but not all versions of the Trojan will request payment of 30 yuan (4.76 USD) for the password and provide a QQ address for negotiations.

Malware experts are finding no other, additionally unsafe activities from the MBRlock Ransomware. Some MBR-locking threats also erase data or may even render the entire PC unusable permanently, but neither appears to be the case with the MBRlock Ransomware. However, its relative simplicity also allows the MBRlock Ransomware to launch and complete its attack within seconds.

Getting the Face of Death out of Your MBR

The MBRlock Ransomware isn't a highly-sophisticated threat but does accomplish an attack that could keep most users from being able to access their operating system at all. Although malware experts can't confirm the same passwords for unlocking purposes among all variants, they are noting that the string 'ssssss' is unblocking at least one version of the MBRlock Ransomware. Without that password, victims have the choice of paying any prospective ransom or recovering their PC via alternate reboot methods, such as USB devices.

While the MBRlock Ransomware's lock-screen text is English primarily, this threat is Chinese geographically, and users in that region should assume that it's in distribution. Over half of all major brands of anti-malware products are identifying this Trojan as being threatening successfully and should block it on sight. For any removal procedures, malware experts recommend restarting from a peripheral device and letting your security software uninstall the MBRlock Ransomware, although additional repairs to the MBR also are mandatory for restoring the native boot-up routine.

The price that the MBRlock Ransomware asks you to pay is much smaller than most ransoms but no more justifiable than the steeper ones of its competitors. Losing even a small amount of money, just to restore what's already yours, is a less than perfect solution, especially when preventing the loss in the first place is more than possible.

Related Posts

Loading...