Nasty ransomware overwrites your PC's master boot record

Geneo said:

UEFI and secure boot will not protect you against ransomware. All they need to do is gain access to your system and encrypt your precious files. They don't need to encrypt the MBR.

Offline backups will protect you.

@Geneo


The thread is about ransomware that overwrites you MBR but doesn't encrypt the files.

This nasty ransomware overwrites your PC's master boot record | PCWorld

Trust_No1 said:

Now to clarify aren't most newer systems UEFI, which no longer uses the MBR method? and thus making the virus non-invasive?

I thought that was, in part, one of the purposes of UEFI?

dmex said:

Yes. If you installed Windows via UEFI then that ransomware doesn't do anything since EFI doesn't use boot sectors such as the MBR and uses a EFI file located on the partition. It also helps to have Secure Boot enabled since that also prevents any tampering with the EFI files.

Just a followup on this topic. Like the title says, the technique is not easy but better than last resort of paying ransom -
Experts crack Petya ransomware, enable hard drive decryption for free
The technique is not exactly straightforward, but it works.

Experts crack Petya ransomware, enable hard drive decryption for free | PCWorld

http://www.bleepingcomputer.com/news...ator-released/

I just got to thinking about this. If booted from a repair cd or windows installation cd, why wouldn't Bootrec.exe /fixboot Bootrec.exe /fixmbr and if needed bootrec /rebuildbcd work on this ransonware?

groze said:

@Geneo


The thread is about ransomware that overwrites you MBR but doesn't encrypt the files.

This nasty ransomware overwrites your PC's master boot record | PCWorld

I can read, can you? I was responding to "My laptop uses UEFI and Secure Boot is enabled by default. Does that mean that I don't need to worry about ransomware?" which clearly is about ransomware in general, and I was quite specific in my answer.

Hi there

Again I would recommend ALWAYS USE A CLEAN BACKUP to remove any infection no matter how trivial.

Even if you use "Cleansing" software you are still working with an infected computer -- so I wouldn't guarantee the integrity of the cleansing process no matter how good the authors of the software say it is.

I mean would you fly a Dodgy plane and then repair it while it's IN THE AIR. !!!!

You'd of course want to repair it on the ground and replace defective parts -- same with a PC - boot from a stand alone bootable recovery system and restore a clean image.

Easily done --don't get panicked by these Ransomware tales --even if you are misfortunate enough to get one of these it's easy to deal with.

Plenty of decent FREE software for taking images / backups so no excuse --always keep a few and ensure the BACKUP is of course clean (similarly you wouldn't replace a defective part on a plane with another defective part - I hope !!.

Cheers
jimbo

jimbo45 said:

Hi there

Again I would recommend ALWAYS USE A CLEAN BACKUP to remove any infection no matter how trivial.

Even if you use "Cleansing" software you are still working with an infected computer -- so I wouldn't guarantee the integrity of the cleansing process no matter how good the authors of the software say it is.

I mean would you fly a Dodgy plane and then repair it while it's IN THE AIR. !!!!

You'd of course want to repair it on the ground and replace defective parts -- same with a PC - boot from a stand alone bootable recovery system and restore a clean image.

Easily done --don't get panicked by these Ransomware tales --even if you are misfortunate enough to get one of these it's easy to deal with.

Plenty of decent FREE software for taking images / backups so no excuse --always keep a few and ensure the BACKUP is of course clean (similarly you wouldn't replace a defective part on a plane with another defective part - I hope !!.

Cheers
jimbo

Makes good sense to me

Superfly said:

Agree with you guys regarding backup's (albeit repairing a plane in mid-flight will be awesome tho') but does standard backup tools protect against MBR corruption/rootkits?
'Suppose repairing BCD with the install media would work - My understanding is that, that is what secure-boot was intended for...

Hi there

who'se ever heard of a 100% SECURE Jail either -- if it's on a computer connected to the Internet it can be hacked if it's a writeable device.

If the device containing the backup isn't physically on the machine you are safe - so long as the backup is clean it will always restore decently to a HDD. If you are 100% paranoid you can use one of the several secure erase programs to really clean your HDD before restoring !!!!.

Image backups are fine --again some of these have a "Paranoia Mode" by backing up and restoring sector by sector --that's not normally required but can sometimes be useful if the Geometry of the HDD you are restoring to is different from the original --i.e can be bigger (or smaller too - so long as there's enough space for the restored data).

I haven't heard of malware actually corrupting Bioses yet -- the secure boot though only protects the initial boot startup - the actual OS can of course get infected. Secure boot really is only of use to prevent booting from "unauthorized devices" and for most home users is more trouble than its worth - especially if you want to do a lot of testing. Most people usually disable it -- keeping UEFI set of course - the two aren't the same.

Cheers
jimbo