The DiskWriter or UselessDisk BootLocker May Be A Wiper

cyber

A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim’s computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again.

Ransom Screen
Ransom Screen

First discovered by security researcher Dmitry Melikov, this infection is being distributed under the DiskWriter.exe or UselessDisk.exe filenames. The sample also includes a PDB string of E:\Debug\UselessDisk.pdb, which indicates that the developer named this infection UselessDisk.

When this infection is executed it will replace the MBR with its own bootloader and then reboots the computer using the “shutdown -r -t 0” command. Once the computer is rebooted, it will display the ransom screen shown above.

This screen contains instructions to send $300 USD in bitcoins to the static bitcoin address of 1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco. At this time, no payments have been made to this address.

When I tested this sample, I was not able to remove the bootlocker by simply fixing the Master Boot Record (MBR), and after fixing the MBR, the machine was displaying an invalid partition table error. Therefore, it’s likely the MFT or partition table is purposely corrupted or encrypted.

Invalid Partition Table Error
Invalid Partition Table Error

Furthermore, as all victims receive the same bitcoin address, there is no contact information, the internal project name is UselessDisk, and there is no way for the developers to know who paid a ransom, I feel that this infection was designed to be destructive and not to actually be a ransomware. As more information becomes available, I will update this article.

 

to read the original article:

https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/

 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

A new massive cryptomining campaign target Linux servers exploiting old flaw

Trend Micro uncovered a new crypto mining campaign targeting Linux servers that exploit the CVE-2013-2618 flaw in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity. Security firm Trend Micro uncovered new crypto mining campaign, a cybercriminal gang has made nearly $75,000 by installing a Monero miner […]