New Wiper Malware impersonates security researchers as prank

imhotep

Well-known member
  • Mar 29, 2017
    14,833
    8
    35,357
    113
    Freebie downloaders beware...


    A malware distributor has decided to play a nasty prank by locking victim's computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.

    Over the past 24 hours, after downloading and installing software from what appears to be free software and crack sites, people suddenly find that they are locked out of their computer before Windows starts.

    When locked out, the PC will display a message stating that they were infected by Vitali Kremez and MalwareHunterTeam, who are both well-known malware and security researchers and have nothing to do with this malware.

    These infections are called MBRLockers as they replace the 'master boot record' of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.
     
    • Like
    Reactions: Bart_Allen

    imhotep

    Well-known member
  • Mar 29, 2017
    14,833
    8
    35,357
    113
    What about GPT?

    No information yet. But remember GPT has an MBR for backward compatibility immediately followed by its own partition table. These Lockers possibly will overwrite the GPT. Some of the old Petya versions did that.
    In any case it won't take malware guys too long to modify it to attack GPT..:oo:
     

    imhotep

    Well-known member
  • Mar 29, 2017
    14,833
    8
    35,357
    113
    At the moment it is not clear whether it just craps the MBR after backing it up elsewhere. More details will surface later.

    But sure there were old ransom variations too, where the MBRLocker encrypted the MBR, thus you effectively cannot access your data, even though the data is not encrypted.