The Complete Magazine on Open Source

HDDCryptor ransomware can lock boot record of your hard drive

, / 3168 0

hard drive

HDDCryptor, a ransomware family that was discovered in January 2016, has started spreading its roots. The ransomware is capable of targeting and locking the MBR (Master Boot Record) of any of your hard drives.

Users have started reporting the infection by HDDCryptor. Spotted before the malicious attacks by Petya and Satana, the ransomware has been in use since January this year. It lets attackers rewrite Master Boot Record (MBR) and then prevents PC from booting.

According to a recent report by Morphus Labs researcher, HDDCryptor has started infecting systems in the US, Brazil and India. The ransomware is appeared to leverage malicious websites for distribution. When a user downloads malware-laced files on the PC, the infection either starts immediately, or the malware begins its action at a later stage.

HDDCryptor is a bunch of binaries crammed into one. It first scans for the network drives and then, dumps credentials for shared folders. Also, it leverages Network Password Recovery for the dumping process and uses DIskCryptor to encrypt files on hard drive partitions and also encrypt the data on network drives.

The ransomware performs the last process of rewriting the MBR with a custom bootloader. This process makes the PC fails to detect the hard drive when you reboot it. The malware throws a ransom note asking the user to check the cables and the contact details to decrypt the hard drive.

It has found that some crooks behind HDDCryptor are asking users for 1 Bitcoin (around $610) for unlocking the hard drive. Moreover, at least four people have already reportedly paid the ransom fee.