Though not very common, Master Boot Record (MBR) encrypting or modifying ransomware can be disastrous when they hit.  This is because they will not bother encrypting the actual files and instead encrypt a drive's Master File Table, or MFT, which essentially makes all of a victim's files inaccessible until the ransom is paid.

To battle these types of malware, Cisco Talos has released a Windows disk filter driver called MBRFilter that listens for programs trying to modify the Master Boot Record and blocks them. This effectively blocks these types of ransomware from being installed and encrypting the MBR.

Below, I have created a video that demonstrates what happens when we try to install Satana, Petya, and Petya+Mischa while MBRFilter is installed.

As you can see from the video, MBRFilter did an excellent job blocking all ransomware infections from affecting the Master Boot Record. As a test, I also installed the Petya+Mischa combo installer and press No at the UAC prompt. This caused Mischa to be installed, which was successfully able to encrypt the files on the computer. 

The fact that Mischa was able to run does not take away from the capabilities of MBRFilter as it is not designed to block those types of ransomware. It does, though, indicate that a ransomware installer may be able to try and modify the MBR, and if unsuccessful, install a file encrypting ransomware instead.

Installing MBRFilter is Easy

To install MBRFilter, simply go to the projects release page and download either the 32-bit or 64-bit version of the driver.  Once downloaded, extract the folder and you should see two files; a installation inf file called MBRFilter.inf and a driver called MBRfilter.sys.  


To install the driver, simply right-click on the INF file and select Install as shown in the image below.

Install MBRFilter
Install MBRFilter

Once the driver is installed, Windows will prompt you to reboot the computer. Once you reboot the computer the driver will be installed and guarding your MBR from being modified.

Now if a ransomware, or other infection, attempts to modify the computer's MBR, the driver will intercept the request and block it. It will then display a message like the one below indicating that it has been blocked.

Satana blocked by MBRFilter
Satana blocked by MBRFilter

If you wish to uninstall MBRFilter in the future, you can follow the instructions on the project's Github page.

Related Articles:

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma

Princess Evolution Ransomware is a RaaS With a Slick Payment Site