A malware distributor has decided to play a nasty prank by locking victim's computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.
Over the past 24 hours, after downloading and installing software from what appears to be free software and crack sites, people suddenly find that they are locked out of their computer before Windows starts.
When locked out, the PC will display a message stating that they were infected by Vitali Kremez and MalwareHunterTeam, who are both well-known malware and security researchers and have nothing to do with this malware.
The full text of this MBRLocker can be read below:
Hello, my name is Vitali Kremez. I infected your stupid PC. you idiot.
Write me in twitter @VK_intel if you want your computer back
If I do not answer, write my husband twitter.com/malwrhunterteam
To protect your ***ing computer in future install SentinelOne antivirus. I work here as head of labs.
Vitali Kremez Inc. () 2020
Another variant calling itself "SentinelOne Labs Ransomware" is being distributed targets only Vitali Kremez and discloses his email addresses and phone numbers.
The text of this variant is:
~SentinelOne Labs Ransomware~
Your system was unprotected, so we locked down access to Windows.
You need to buy SentinelOne antivirus in orer to restore your computer.
My name is Vitali Kremez. Contacts are below.
Phone: XXX
E-mail 1: XXX
E-mail 2: xxx
After you buy my antivirus I will send you unlock code.
Enter Unlock code:
These infections are called MBRLockers as they replace the 'master boot record' of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.
This type of infection is used in ransomware attacks such as Petya or as a destructive wiper to prevent people from accessing their files.
In this particular case, it looks like a malware developer or distributor is trying to tarnish the name of Kremez and MalwareHunterTeam and released this infection as a destructive prank.
To reiterate, MalwareHunterTeam and Kremez have nothing to do with this infection.
Possible recovery options
The information below should be used at your own risk and could lead to the loss of your data. Use at your own risk!
BleepingComputer and other researcher have been able to gain access to the samples for this Wiper and unfortunately it does not save a copy of your original MBR before replacing it.
This means that the partition table, which is used to identify the disk partitions created on the installed hard drives, has been erased.
Some users have stated that they have had success recovering their computers using Windows installation media and using the following commands as described here:
bootrec /fixboot
bootrec /scanos
bootrec /fixmbr
bootrec /rebuildbcd
BleepingComputer did not have any success with the above methods and caused our test computer to display an error screen after rebooting.
According to a blog post by Marius Genheimer, it may also be possible to use TestDisk to recover partitions.
The good-ish news is, that in this case the changes made to the Master Boot Record are reversible with a Backup of the MBR Sector. Alternatively victims can try to repair the MBR with Microsoft's bootrec /fixmbr and /fixboot. Sucess in this case depends on the partition style of the Windows install (since the MBR in GPT layouts is reserved for protective Reasons; on MBR installs bootrec may not be able to recover the Partition table because the whole sector is overwritten. See Vitalis Tweet here). I verified on a physical GPT install that LBA 1 and following is not affected by the MBRLocker and should keep the GPT recoverable. TestDisk is theoretically capable of recovering both partitioning layouts. I'd advise victims to use File Recovery software like Photorec as an option for data recovery if a clean install is necessary.
Once again, this is untested by BleepingComputer and success may vary depending on the computer and setup.
If you are not comfortable performing any of these steps, I suggest you bring your computer to a computer repair professional to get assistance rather than attempting them on your own.
Update 4/14/20: Added possible recovery options. Use at your own risk.
Comments
Some-Other-Guy - 3 years ago
Hahahahhahahhahhahhahhahhhahhahhahhahahhahahha
I wonder who R-K wants assassinated over this?
BlueCat49 - 3 years ago
While I understand the need to fund a website through passive income sources, my recently installed adblocker blocked over 80 items on this page the first time I visited. That seems a bit excessive.