- Jan 24, 2011
- 9,378
Researchers have spotted a new ransomware family that attacks a hard drive's MBR (Master Boot Record) and prevents PCs from booting up, after encrypting their files.
This one's named HDDCryptor (or Mamba), and has been around since January 2016, according to a Bleeping Computer forum topic where users reported their infections.
Technically, HDDCryptor was around before the overhyped Petya, and later Satanaransomware families, which got a lot more media attention, and behaved in the same way, by rewriting the MBR and preventing the PC from booting.
New wave of HDDCryptor infections
Based on available reports, it appears that a recent malware distribution campaign has been delivering a new version of HDDCryptor to users around the world.
The first one to (re)detect HDDCryptor was Renato Marinho, a security researcher for Morphus Labs, who said his company was called in to investigate a massive HDDCryptor infection at a multinational, which affected its headquarters in the US, Brazil, and India.
Marinho's initial technical analysis was followed a few days later by one from Trend Micro, mostly identical.
According to both, HDDCryptor infections start with users accessing a malicious website and download malware-laced files on their PCs. These files are either infected with HDDCryptor directly or come with an intermediary malware that delivers HDDCryptor at a later stage, when the crooks are sure they have boot persistence on the infected computer.
Read more: HDDCryptor Ransomware Locks Hard-Drive Boot Records
This one's named HDDCryptor (or Mamba), and has been around since January 2016, according to a Bleeping Computer forum topic where users reported their infections.
Technically, HDDCryptor was around before the overhyped Petya, and later Satanaransomware families, which got a lot more media attention, and behaved in the same way, by rewriting the MBR and preventing the PC from booting.
New wave of HDDCryptor infections
Based on available reports, it appears that a recent malware distribution campaign has been delivering a new version of HDDCryptor to users around the world.
The first one to (re)detect HDDCryptor was Renato Marinho, a security researcher for Morphus Labs, who said his company was called in to investigate a massive HDDCryptor infection at a multinational, which affected its headquarters in the US, Brazil, and India.
Marinho's initial technical analysis was followed a few days later by one from Trend Micro, mostly identical.
According to both, HDDCryptor infections start with users accessing a malicious website and download malware-laced files on their PCs. These files are either infected with HDDCryptor directly or come with an intermediary malware that delivers HDDCryptor at a later stage, when the crooks are sure they have boot persistence on the infected computer.
Read more: HDDCryptor Ransomware Locks Hard-Drive Boot Records
