Researchers at SentinelLabs have recently reported a surge of MBRLocker variant malware. MBRLocker malware overwrites the Master Boot Record (MBR), which handles booting the operating system on startup. By modifying this buffer of data, attackers can prevent a computer from booting entirely. Recently, a newly discovered MBRLocker sample taunted Vitali Kremez, the lead researcher of SentinelLabs, by claiming to originate from him and asking victims to contact him on Twitter. Additionally, the malware analysis team, malwarehunterteam was also taunted by the threat actors.
This malware is typically spread through illegitimate “cracked” software distributions. Binary Defense recommends never installing any cracked software. Additionally, practicing strong backup policies can help make cleanup from this malware type easier, as the most common solution to an MBRLocker infection is to reformat the computer. Some MBRLocker variants create a backup of the Master Boot Record before overwriting it, so it may be possible to recover the computer’s normal operation by restoring the MBR from the backup. To keep backup data safe, consider the 3-2-1 rule: Keep 3 copies of backup data, stored on 2 different physical media, with 1 stored offsite.