October 24, 2016 by

This Open-Source Tool Protects Your MBR from Ransomware

Cisco Systems’ Talos cybersecurity team has released an open-source available freely to protect the master boot record of a computer from the menace of malware including ransomware. 

The Master Boot Record (MBR) is a common target for malware, as the first sector on any hard drive that stores the bootloader required for booting any computer’s operating system. Malware authors have predictably targeted the MBR records on computers, in an attempt to clamp down the entire computer rather than focusing on files on the hard drive.

A malware program that is efficient in what it does, modifies the MBR in its attempt to infect computers, with programs typically known as a rootkit or bootkit. Bootkit , or a boot-specific malware installs ransomware and other malicious software into the Windows kernel of a target’s computer, making it near impossible to detect. If successful, the bootkit triggers a compromise of the targeted victim’s entire computer.

Suffice to say, it is important that the MBR is protected, while any channels to tweak or modify the MBR from unauthorized programs ought to be plugged.

The Talos team from Cisco has devised a free tool called the MBRFilter, which uses a simple yet effective method to outmaneuver rogue malware. Basically, the MBRFilter acts as a signed system driver that renders the MBR into a read-only record. This, effectively, kills any chances of malware or software modifying the MBR for any nefarious purposes.

In a blog post, Talos explained:

MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers. It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system.

When installed, the system will be required to boot into Safe Mode, to leave Sector 0 of the disk, which contains the MBR, become accessible for modification by the tool.

The Talos team demonstrated the use of the tool on a virtual machine infected by the Petya ransomware, rendering the notable menace obsolete following MBRFilter’s installation.

 Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Kaspersky Provides More Information on the Sandworm APT Team

The Kaspersky team has recently provided more information on the (presumably) Russian APT group...

Read more arrow_forward