Home > Trojan > MBRlock Virus — How to Remove + Restore Encrypted Files

MBRlock Virus — How to Remove + Restore Encrypted Files

The MBRlock virus is a dangerous ransomware that is able to corrupt the Master Boot Record (MBR) of the victim machines. It then extorts the victims to pay a ransomware fee. The infections can also cause a wide variety of system changes and the installation of other viruses.

Threat Summary

Name MBRlock
Type Ransomware, Cryptovirus
Short Description The main goal of the MBRlock Virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.
Symptoms The victims will be unable to boot their computers once the MBRlock virus has executed its components.
Distribution Method Spam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss MBRlock.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MBRlock Virus – Infection Process

The MBRlock virus is distributed using the most popular infection strategies. At the moment it is not possible to judge which is the primary distribution method. It is possible to create several campaigns running at once in order to maximize the infection ratio. In this article we list the most popular ways which the virus operators can utilize in order to spread it.

Email messages are among the top choices when it comes to bulk sending of malware copies. The hackers employ social engineering techniques in order to blackmail the victims into interacting with the dangerous components. Depending on the case there are two primary forms that the messages can take:

  • File Attachments — These types of messages include the MBRlock virus as an integrated part of the contents. The samples are attached directly and the victims are manipulated through to interact with the malware. In certain cases the files can be placed in archives that needs to be opened using the quoted password in the message. This is an often used trick that is used several scenarios throughout the years.
  • Malware Links — The email messages links to MBRlock virus instances that are hosted on malware sites.

Two specific cases are noteworthy for being popular in the last few months. The first one is the distribution of infected documents that contain malware scripts. Once the files are opened a notification message pops-up and requests the execution of built-in macros (scripts). If this is done the infection follows as the malware is downloaded from a remote site and started on the compromised machine. Such files usually consist of rich text documents, spreadsheets and presentations. The other type of infection is the distribution of malware software installers. They are very dangerous as sometimes the victims have no indication that the setup file can infect their computers with viruses. These files are made by taking legitimate installers of famous software (either free or trial versions) that are then modified to include the dangerous code. In certain cases the victims can protect themselves from the infections by unchecking certain options during the setup process.

Another method of distribution is the use of browser hijackers that can deliver as part of the their infection behavior patterns. This type of computer malware seek to infect the most popular web browsers (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer and Microsoft Edge) with dangerous code that redirects the victims to a hacker-controlled site. Upon infection with them default settings are changed and various data can be extracted. During this phase the virus infection can be acquired.

MBRlock Virus – Analysis and Activity

An in-depth analysis of the MBRlock virus has been made using captured samples. Its interesting to note that the initial infection engine does contain advanced stealth protection tactics that are found on complex viruses. At the same time the security experts were not able to uncover a similarity with any of the famous malware families. The fact that the stealth protection is launche at the beginning of the infection shows that it might be difficult for some security software to detect and remove the virus if it cannot detect its signatures.

The module creates a detailed profile of the installed security software. Once all potential applications are detected the virus can opt to bypass or entirely remove the program. If they are unable to do so they can remove themselves from the computer to avoid detection.

A next step is the launch of an information gathering module that starts to gather sensitive data from the compromised hosts. In a similar to way browser hijackers the collected data can be classified into two categories:

  • Personally-Identifiable Information — This type of data refers can directly expose the victim’s identity: name, telephone, address, passwords, account credentials and etc.
  • Anonymous Data — Such information is used by the hackers to judge how effective the attack campaign is. It is mainly composed of operating system data and the available hardware components.

Significance is given to location data such as the host’s machine time, timezone and user set regional settings. This is done in order to select an appropriate version of the ransom note in the later stages. Once all security software have been bypassed the malware continues further by creating its own resource forks. The MBRlock virus can hook to running processes and creates its own dependant threads with various privilege levels. This makes it very difficult to uncover how exactly the virus works and at which stage it is currently active.

The modular framework has been found to have a loader component that allows it to be further upgraded with other capabilities. The security experts note that the captured samples were found to modify the boot options, as a result the virus automatically launches every time the computer is started. In addition a persistent state of execution is instituted. As a result the main virus engine modifies the Windows Registry & important operating system configuration files. As a result the victims may experience symptoms such as performance issues and application/service failure.

There are several other dangers that are associated with the MBRlock virus infections. One of them is the ability to deliver additional malware threats. The engine can also allow the criminals to set up a network connection. Using it they can spy on the victims (similar to the way dedicated Trojan viruses work) and overtake control of the compromised hosts at any given time.

Such infections allow the criminal operators to harvest sensitive data from the compromised hosts before the ransomware engine is called. In addition the module can recruit the compromised host into a worldwide botnet. They are usually leased to other hackers and used in massive DDOS attacks against high end targets.

The ransomware engine is also capable of interacting with the Windows Volume Manager which makes it possible to access removable devices and network shares. To make data recovery more difficult the engine can also opt to remove any Shadow Volume Copies of the identified target data. In such cases the victims will need to use the data recovery software listed in our ransomware removal instructions below to restore their computers.

MBRlock Virus – Encryption Process

Once all preliminary components have completed execution the ransomware engine is started. Like other similar threats the default behavior of using a built-in list of target file type extensions is employed. Example data includes the following:

  • Images
  • Videos
  • Music
  • Backups
  • Archives
  • Documents
  • Databases

Some of the acquired samples feature the following built-in list:

.BMP, .CUR, .GIF, .ICO, .JPG, .MID, .PNG, .prn, .txt, .WAV

Once all files have been processed they may be assigned a ransomware extension depending on the case. Usually they take the name of the virus, in this example it would be .mrblock.

One of the most dangerous aspects related to this threat is the fact that the MBRlock virus does not write the ransom note directly as a file, but overwrites the Master Boot Record (MBR) with it. This is the place that keeps the boot loader part of the operating system. As a consequence the victims cannot boot their computers and are blackmailed by the hackers to pay the ransom fine.

The following message is written to the screen:

Your disk have a lock!!!Please enter the unlock password
yao mi ma gei 30 yuan jia qq

How to Remove MBRlock Virus and Restore Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of MBRlock ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by encrypted Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Preparation before removing MBRlock.

Before starting the actual removal process, we recommend that you do the following preparation steps.

  • Make sure you have these instructions always open and in front of your eyes.
  • Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
  • Be patient as this could take a while.
  • Scan for Malware
  • Fix Registries
  • Remove Virus Files

Step 1: Scan for MBRlock with SpyHunter Anti-Malware Tool

1. Click on the "Download" button to proceed to SpyHunter's download page.

It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria.

2. After you have installed SpyHunter, wait for it to update automatically.

SpyHunter 5 Scan Step 1

3. After the update process has finished, click on the 'Malware/PC Scan' tab. A new window will appear. Click on 'Start Scan'.

SpyHunter 5 Scan Step 2

4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the 'Next' button.

SpyHunter 5 Scan Step 3

If any threats have been removed, it is highly recommended to restart your PC.

Step 2: Clean any registries, created by MBRlock on your computer.

The usually targeted registries of Windows machines are the following:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

You can access them by opening the Windows registry editor and deleting any values, created by MBRlock there. This can happen by following the steps underneath:

1. Open the Run Window again, type "regedit" and click OK.
Remove Virus Trojan Step 6

2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.
Remove Virus Trojan Step 7

3. You can remove the value of the virus by right-clicking on it and removing it.
Remove Virus Trojan Step 8 Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.

Step 3: Find virus files created by MBRlock on your PC.

1.For Windows 8, 8.1 and 10.

For Newer Windows Operating Systems

1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.

Remove Virus Trojan Step 9

2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.

Remove Virus Trojan Step 10

3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:

file extension malicious

N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.

2.For Windows XP, Vista, and 7.

For Older Windows Operating Systems

In older Windows OS's the conventional approach should be the effective one:

1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.

Remove Virus Trojan

2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.

Remove Virus Trojan Step 11

3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.

Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.


What Does MBRlock Trojan Do?

The MBRlock Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system.

It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.

Can Trojans Steal Passwords?

Yes, Trojans, like MBRlock, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.

Can MBRlock Trojan Hide Itself?

Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.

Can a Trojan be Removed by Factory Reset?

Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind, that there are more sophisticated Trojans, that leave backdoors and reinfect even after factory reset.

Can MBRlock Trojan Infect WiFi?

Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.

Can Trojans Be Deleted?

Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.

Can Trojans Steal Files?

Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.

Which Anti-Malware Can Remove Trojans?

Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.

Can Trojans Infect USB?

Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.

About the MBRlock Research

The content we publish on SensorsTechForum.com, this MBRlock how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.

How did we conduct the research on MBRlock?

Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)

Furthermore, the research behind the MBRlock threat is backed with VirusTotal.

To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree