SentinelOne Labs Ransomware

The SentinelOne Labs Ransomware is a Trojan that blocks the operating system's startup routine by modifying the MBR. Its attack includes a warning message that attributes it to a well-known security researcher at the SentinelOne cyber-security company falsely, hence the Trojan's name. Users should save backups of their work as a precaution at all times, reinstall Windows as necessary, and confirm the removal of the SentinelOne Labs Ransomware through appropriate anti-malware tools.

Security Researchers Getting Dragged through the Mud

The misattribution of a Trojan campaign is a serious business and can confuse further attempts at tracking threats or tarnish the names of individuals, businesses and even governments. Threat actors are well aware of this problem, and the more evasive ones may insert intentionally-false or misleading information into their Trojans and other software. On the other hand, mistaken identity has a more 'playful' side in some threats, like the SentinelOne Labs Ransomware.

The SentinelOne Labs Ransomware is a Trojan that subverts the master boot record or MBR, keeping Windows from even starting efficiently. Usually, threat actors do so for destroying files (and evidence), but, in this case, the warning messages that the SentinelOne Labs Ransomware leaves imply another motive. The SentinelOne Labs Ransomware's alert claims that the Trojan is the product of one Vitali Kremez, a well-known cyber-security researcher and employee at SentinelOne.

While there is no actual connection between that researcher and the SentinelOne Labs Ransomware, the Trojan provides the victim with legitimate contact information. The functional e-mail addresses and phone numbers in the message create a probably-intentional 'doxxing' effect by leading victims to contact the innocent researcher angrily. Interestingly, malware experts confirm that the SentinelOne Labs Ransomware isn't a for-profit Trojan. It asks for no ransom (besides buying the AV software that doesn't benefit the criminal) and has no means of monetizing the attack.

Acting the Part of a Sentinel to Your Windows Startup

Malware researchers are rating Trojans' impersonation of workers at AV companies as a much more rare phenomenon than those who attribute the Anonymous hacktivist group or leave their attacks without any obvious authorship. Despite the unusual theme, the SentinelOne Labs Ransomware isn't alone. The fake BitDefender 2011 is one attack showing a company and their flagship product's false implication, and various Trojans that corrupt the MBR, sometimes, include call-outs or other references to prominent members of the cyber-security industry.

While there is little believability in the SentinelOne Labs Ransomware's warning, the attack and its blocking of Windows is a genuine issue. Users may overcome it and access their files, temporarily, by booting through a prepared USB, DVD or any similar storage device. There also is some chance that the SentinelOne Labs Ransomware includes an emergency 'failsafe' code, such as Ctrl+Alt+Esc.

As a last resort, Windows users can always reinstall Windows from scratch and remove the SentinelOne Labs Ransomware's remnants or associated threats through anti-malware solutions.

The SentinelOne Labs Ransomware is spreading through freeware and software piracy tools, as of now. Later may hold other infection vectors in store for Windows users, but downloading illicit content is a mistake that, hopefully, anyone only makes once.