Though not very common, Master Boot Record (MBR) encrypting or modifying ransomware can be disastrous when they hit. This is because they will not bother encrypting the actual files and instead encrypt a drive's Master File Table, or MFT, which essentially makes all of a victim's files inaccessible until the ransom is paid.
To battle these types of malware, Cisco Talos has released a Windows disk filter driver called MBRFilter that listens for programs trying to modify the Master Boot Record and blocks them. This effectively blocks these types of ransomware from being installed and encrypting the MBR.
Below, I have created a video that demonstrates what happens when we try to install Satana, Petya, and Petya+Mischa while MBRFilter is installed.
As you can see from the video, MBRFilter did an excellent job blocking all ransomware infections from affecting the Master Boot Record. As a test, I also installed the Petya+Mischa combo installer and press No at the UAC prompt. This caused Mischa to be installed, which was successfully able to encrypt the files on the computer.
The fact that Mischa was able to run does not take away from the capabilities of MBRFilter as it is not designed to block those types of ransomware. It does, though, indicate that a ransomware installer may be able to try and modify the MBR, and if unsuccessful, install a file encrypting ransomware instead.
Installing MBRFilter is Easy
To install MBRFilter, simply go to the projects release page and download either the 32-bit or 64-bit version of the driver. Once downloaded, extract the folder and you should see two files; a installation inf file called MBRFilter.inf and a driver called MBRfilter.sys.
To install the driver, simply right-click on the INF file and select Install as shown in the image below.
Once the driver is installed, Windows will prompt you to reboot the computer. Once you reboot the computer the driver will be installed and guarding your MBR from being modified.
Now if a ransomware, or other infection, attempts to modify the computer's MBR, the driver will intercept the request and block it. It will then display a message like the one below indicating that it has been blocked.
If you wish to uninstall MBRFilter in the future, you can follow the instructions on the project's Github page.
Comments
TsVk! - 8 years ago
Thanks, interesting article.
The_Thorn_Within - 8 years ago
OK. Let me get this out of the way - I have a UEFI "BIOS" PC running Win 10 that was upgraded from Win 8. I also have an external drive that I connect once a month to run a backup. I practice safe internet. That being said.....just the thought of ramsomware gets my knickers in a knot.
I don't ever plan on messing with the partitions on my HDD. Can I simply install the MBRFilter, forget about it and let it do its thing? I really don't want to have to uninstall it by running AccessMBR and rewriting the MBR if I don't have to.
xXToffeeXx - 8 years ago
If you have UEFI, then you don't have an MBR and so these types of ransomware (apart from the one which has a normal mode ransomware built in) cannot affect you.
Dirk41 - 8 years ago
Hello! I had the same question : so , out of curiosity , what protect us ? The fact that we don't have MBR ( well actually I found on wiki that gpt disks have a sector , at the beginning ,called MBR , what's that ) or the secure boot of uefi ? Thank you
al1963 - 8 years ago
Yes, work protection, tested by the example of red petja
Here information about the installed driver
Полное имя C:\WINDOWS\SYSTEM32\DRIVERS\MBRFILTER.SYS
Имя файла MBRFILTER.SYS
Тек. статус АКТИВНЫЙ драйвер в автозапуске
Сохраненная информация на момент создания образа
Статус АКТИВНЫЙ драйвер в автозапуске
File_Id 57E316706000
Linker 11.0
Размер 17184 байт
Создан 21.10.2016 в 11:35:24
Изменен 27.09.2016 в 16:25:16
TimeStamp 21.09.2016 в 23:23:28
EntryPoint
OS Version 6.0
Subsystem No subsystem required (device drivers and native system processes)
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE
Тип файла 32-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись проверка не производилась
Доп. информация на момент обновления списка
SHA1 7D0E1ED823B92448EFCE9419997B4286D02B940B
MD5 79E056285BE119CDD8C4E22CAA597A2E
Ссылки на объект
Ссылка HKLM\System\CurrentControlSet\Services\MBRFilter\ImagePath
ImagePath system32\DRIVERS\MBRFilter.sys
MBRFilter тип запуска: На этапе загрузки (0)
Ссылка HKLM\System\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\UpperFilters
ImagePath system32\DRIVERS\MBRFilter.sys
MBRFILTER тип запуска: На этапе загрузки (0)
sbwertz - 8 years ago
When I click on the INF file I get Open, Explore, Cut, Delete and Properties...No Install. Does this not work on Win7?
Lawrence Abrams - 8 years ago
Worked for me in Windows 7.