Hackers Posing as Renowned Security Researchers Launch a Destructive MBRLocker Wiper Attack

If you think no threat is worse than ransomware, you've probably never been through the hellish experience of having a wiper on your computer system. What's so different about this malware? Wipers have the ability to permanently 'wipe out' any data from your system, hence the name. Ransomware encrypts data and demands the victim to pay a ransom if they want to receive a decryption tool. Of course, there's no guarantee that you'll recover the lost data if you fulfill the attackers' demands. In most cases where victims decide to pay the ransom, hackers don't follow through on their promises. Reports even show examples of wipers posing as ransomware and asking for payment in exchange for data recovery.

Free software installations from dubious sites are among the most common methods used for distributing malware in general. That's also the case for a particular MBRLocker wiper attack, which aims to discredit well-known figures from the cybersecurity sphere.

Hackers lock victims’ computers and try to blame it on reputable security researchers

A curious case of MBRLocker malware took the internet by a storm. Cyber crooks came up with a new threat that locks the infected computer before the Windows OS is able to start, and displays a message that attributes the malware attack to security researchers Vitali Kremez and MalwareHunterTeam. It's important to note that none of them have anything to do with this threat.

According to reports made by victims, their computers got infected after they've downloaded and installed programs from free software sites. What comes as a surprise is that the malware doesn't ask for a ransom. It seems that the attackers designed this threat to have some fun by ascribing the attack to the very people that are hindering their criminal activities.

Windows cannot restart due to an MBR replacement performed by the wiper

This threat is programmed to replace the MBR (Master Boot Record). After that's done, the operating system of the infected PC will be unable to restart. The failed attempt to restart the system will result in the appearance of a black screen note accrediting Vitali Kremez with the attack.

Here's the full text shown by the MBRLocker:

"Hello, my name is Vitali Kremez. I infected your stupid PC, you idiot.
Write me in twitter @VK_intel if you want your computer back
If I do not answer, write my husband twitter.com/malwrhunterteam
To protect your f***ing computer in future install SentinelOne antivirus, I work here as head of labs
Vitali Kremez Inc. () 2020"

As soon as he became aware of the attackers' ploy to defame him, Vitali Kremez tweeted that he had no connection to the wiper attack.

Many users shared their screen notes on Twitter, asking Kremez for help. While most people realized right away that he was not the one responsible for the attack, some individuals fell for the prank and pleaded to him to fix their computers.

The note left by the attackers has another version, which includes two email addresses that the victim is prompted to use to get in touch with Kremez:

“~SentinelOne Labs Ransomware~
Your system was unprotected, so we locked down access to Windows.
You need to buy SentinelOne antivirus in order to restore your computer.
My name is Vitali Kremez. Contacts are below.
Phone:
E-Mail 1:
E-Mail 2:

After you buy my antivirus I will send you unlock code.
Enter Unlock code: _”

As previously mentioned, neither Vitali Kremez, SentinelOne, or MalwareHunterTeam are accountable for the nasty MBRLocker wiper attack.

Full recovery might not be an option for affected computers

Unfortunately for the victims of this malware attack, recovering the infected PC is unlikely. Kremez tweeted that a possible option for the majority of the victims is a full Windows restore or re-install. He also urges users not to download pirated software from third-party websites.

However, there still may be hope for a full MBR recovery. A recent discovery shows a publicly available MBRLocker tool, used to create a number of MBRLockers. If this particular malware turns out to be created with the same tool, a full MBR recovery will be possible. What's more, in a sample of another MBRLocker, researchers discovered that the CTRL+ALT+ESC keyboard combination restores the Master Boot Record and boots the PC.

By Zane
April 17, 2020
April 17, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.