Safeguarding Data : How Ransomware Can Affect the Master Boot Record (MBR)

Ransomware is becoming one of the most dangerous cyber attack methods that businesses face, as well as the most lucrative for cyber criminals. Hackers are beginning to target organizations of all sizes to infect more networks and yield a bigger payday. In fact, businesses in 10 states experienced a 500 percent boost in ransomware attacks, Small Business Trends reported. For small- and medium-sized businesses globally, there was a 231 percent increase year-over-year from Q1 2016 to Q1 2017.

SMBs and many other organizations cannot afford the costs and damages that ransomware brings. Global ransomware damage costs could go over $5 billion this year, a remarkable increase from $325 million in 2015, according to Cybersecurity Ventures. Ransomware is becoming more sophisticated to convince users into downloading malicious files and waiting while the program takes over the machine. By the time individuals realize what happened, the ransomware may have already cracked the master boot record and taken control. Let’s take a closer look at how ransomware can hack into your Master Boot Record and ways to protect your business from this rising threat.

Petya was the first ransomware to encrypt the Master Boot Record.

Tales of Petya

Typically, when ransomware impacts a user, the best thing to do is to reboot the machine and restore everything from backups. However, if the Master Boot Record has been compromised, users are completely locked out of their computers and held at the whim of the attacker. One of the first and most successful examples of this comes from the 2016 Petya campaign. When downloaded, Petya would overwrite the MBR and leave the operating system in an unbootable state, according to PCWorld. Without proper access to the MBR, the computer can’t identify which partitions in the hard disk drive contain an OS or how to start it.

Petya ransomware helped solidify the trend for sophisticated threats that appear to be legitimate messages or documents. As with most other ransomware, Petya was distributed through spam emails, but often masqueraded as job applications, targeting human resources departments. The emails contained a link to a shared Dropbox folder containing a self-extracting archive, which viewers believe to be the applicant’s CV and photo. When the ransomware is installed, it rewrites the MBR and triggers the Blue Screen of Death, forcing the computer to reboot. Once the computer is back up, rogue MBR code will appear to “check disk operations” that would normally occur after a BSOD. Instead, the ransomware encrypts the master file table, making it so that the OS doesn’t know where files are located on the disk.

Rather than doing what nearly all other ransomware does and encrypting files, Petya held the entire system hostage, saving time for the attacker. In addition, this would ensure that hackers could easily rebuild the actual files quickly. In 2017, Petya made a comeback with a new variant containing wiper code. According to The Hacker News, the new strain didn’t keep a copy of the replaced MBR, meaning that infected computers won’t be bootable even if the victims get the decryption keys. This just reinforces the advice to not pay the ransom and keep backups of your system on hand.
“After its success, other strains started targeting the MBR as well.”

ExPetr and Satana Follow in Petya’s Footsteps

Petya set a new standard for ransomware and effective ways to lock down machines. After its success, other strains started targeting the MBR as well. Mere months after Petya, Satana emerged as the second ransomware that would encrypt the MBR as well as user files. According to CSO Online, the main difference between the two threats is that Satana doesn’t encrypt the MFT. This makes it harder to fix the hacker’s actions and restore systems. While Satana hadn’t been widely distributed and had a few flaws, it still serves as a major threat.

The newer Petya variant with wiper code inspired a malware strain that emerged in June 2017. ExPetr originally infected systems using an update mechanism for a financial software provider. Once installed, attackers were able to steal administrator credentials and spread laterally within the network and connected domains, ThreatPost reported. The malware overwrote the MBR as well, but the wiper capabilities ensured that there was no way to decrypt files. A bug within the encryption code prevented any decryption keys from working, sabotaging PCs globally.

There are a few things you can do to secure your MBR.

Keeping Your Master Boot Record Secure

The MBR is critical, and if it’s is corrupted by ransomware, that could mean that you’ve lost your data for good. Rather than take the chance, organizations should put security measures in place now to ensure they’re protected against these rising threats. There are a few safeguards that will be necessary for these efforts:

1. Training Your Staff

Negligent employees remain the No. 1 cause of breaches across businesses. It will be necessary to establish ongoing training sessions that address new malware trends and how to spot potential threats. Enforcing best practices will help workers look twice before they click on links or download files.

2. Application Control Solutions

Anti-virus can help detect a lot of common malware threats, but it can’t keep up with the evolving sophistication of newer strains. Faronics Anti-Executable fills in the security gaps with the best application control solution available. It’s easy to use and balances flexibility with protection for your critical endpoints. By using this type of solution, organizations have guaranteed protection from zero-day threats, ransomware and other malicious attacks.

3. Backups

If regular system backups aren’t part of your security strategy, they should be. If ransomware locks down your Master Boot Record, there’s not much chance of recovering from that type of incident. Instead of paying the ransom, wipe your system and restore it from your backups. It’s also important to regularly test your backups to ensure that essential assets are available and that you’re prepared in an emergency.

Ransomware is a predominant threat that’s becoming more sophisticated over time. As strains evolve to overwrite the MBR, cut off user access and maximize damage, organizations must take action to secure their machines. For more information on how to protect your Master Boot Record and your business data from ransomware, contact Faronics today.

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.