MBRlock Virus — How to Remove + Restore Encrypted Files

MBRlock Virus — How to Remove + Restore Encrypted Files

The MBRlock virus is a dangerous ransomware that is able to corrupt the Master Boot Record (MBR) of the victim machines. It then extorts the victims to pay a ransomware fee. The infections can also cause a wide variety of system changes and the installation of other viruses.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe main goal of the MBRlock Virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.
SymptomsThe victims will be unable to boot their computers once the MBRlock virus has executed its components.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by MBRlock


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MBRlock.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MBRlock Virus – Infection Process

The MBRlock virus is distributed using the most popular infection strategies. At the moment it is not possible to judge which is the primary distribution method. It is possible to create several campaigns running at once in order to maximize the infection ratio. In this article we list the most popular ways which the virus operators can utilize in order to spread it.

Email messages are among the top choices when it comes to bulk sending of malware copies. The hackers employ social engineering techniques in order to blackmail the victims into interacting with the dangerous components. Depending on the case there are two primary forms that the messages can take:

  • File Attachments — These types of messages include the MBRlock virus as an integrated part of the contents. The samples are attached directly and the victims are manipulated through to interact with the malware. In certain cases the files can be placed in archives that needs to be opened using the quoted password in the message. This is an often used trick that is used several scenarios throughout the years.
  • Malware Links — The email messages links to MBRlock virus instances that are hosted on malware sites.

Two specific cases are noteworthy for being popular in the last few months. The first one is the distribution of infected documents that contain malware scripts. Once the files are opened a notification message pops-up and requests the execution of built-in macros (scripts). If this is done the infection follows as the malware is downloaded from a remote site and started on the compromised machine. Such files usually consist of rich text documents, spreadsheets and presentations. The other type of infection is the distribution of malware software installers. They are very dangerous as sometimes the victims have no indication that the setup file can infect their computers with viruses. These files are made by taking legitimate installers of famous software (either free or trial versions) that are then modified to include the dangerous code. In certain cases the victims can protect themselves from the infections by unchecking certain options during the setup process.

Another method of distribution is the use of browser hijackers that can deliver as part of the their infection behavior patterns. This type of computer malware seek to infect the most popular web browsers (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer and Microsoft Edge) with dangerous code that redirects the victims to a hacker-controlled site. Upon infection with them default settings are changed and various data can be extracted. During this phase the virus infection can be acquired.

MBRlock Virus – Analysis and Activity

An in-depth analysis of the MBRlock virus has been made using captured samples. Its interesting to note that the initial infection engine does contain advanced stealth protection tactics that are found on complex viruses. At the same time the security experts were not able to uncover a similarity with any of the famous malware families. The fact that the stealth protection is launche at the beginning of the infection shows that it might be difficult for some security software to detect and remove the virus if it cannot detect its signatures.

The module creates a detailed profile of the installed security software. Once all potential applications are detected the virus can opt to bypass or entirely remove the program. If they are unable to do so they can remove themselves from the computer to avoid detection.

A next step is the launch of an information gathering module that starts to gather sensitive data from the compromised hosts. In a similar to way browser hijackers the collected data can be classified into two categories:

  • Personally-Identifiable Information — This type of data refers can directly expose the victim’s identity: name, telephone, address, passwords, account credentials and etc.
  • Anonymous Data — Such information is used by the hackers to judge how effective the attack campaign is. It is mainly composed of operating system data and the available hardware components.

Significance is given to location data such as the host’s machine time, timezone and user set regional settings. This is done in order to select an appropriate version of the ransom note in the later stages. Once all security software have been bypassed the malware continues further by creating its own resource forks. The MBRlock virus can hook to running processes and creates its own dependant threads with various privilege levels. This makes it very difficult to uncover how exactly the virus works and at which stage it is currently active.

The modular framework has been found to have a loader component that allows it to be further upgraded with other capabilities. The security experts note that the captured samples were found to modify the boot options, as a result the virus automatically launches every time the computer is started. In addition a persistent state of execution is instituted. As a result the main virus engine modifies the Windows Registry & important operating system configuration files. As a result the victims may experience symptoms such as performance issues and application/service failure.

There are several other dangers that are associated with the MBRlock virus infections. One of them is the ability to deliver additional malware threats. The engine can also allow the criminals to set up a network connection. Using it they can spy on the victims (similar to the way dedicated Trojan viruses work) and overtake control of the compromised hosts at any given time.

Such infections allow the criminal operators to harvest sensitive data from the compromised hosts before the ransomware engine is called. In addition the module can recruit the compromised host into a worldwide botnet. They are usually leased to other hackers and used in massive DDOS attacks against high end targets.

The ransomware engine is also capable of interacting with the Windows Volume Manager which makes it possible to access removable devices and network shares. To make data recovery more difficult the engine can also opt to remove any Shadow Volume Copies of the identified target data. In such cases the victims will need to use the data recovery software listed in our ransomware removal instructions below to restore their computers.

MBRlock Virus – Encryption Process

Once all preliminary components have completed execution the ransomware engine is started. Like other similar threats the default behavior of using a built-in list of target file type extensions is employed. Example data includes the following:

  • Images
  • Videos
  • Music
  • Backups
  • Archives
  • Documents
  • Databases

Some of the acquired samples feature the following built-in list:

.BMP, .CUR, .GIF, .ICO, .JPG, .MID, .PNG, .prn, .txt, .WAV

Once all files have been processed they may be assigned a ransomware extension depending on the case. Usually they take the name of the virus, in this example it would be .mrblock.

One of the most dangerous aspects related to this threat is the fact that the MBRlock virus does not write the ransom note directly as a file, but overwrites the Master Boot Record (MBR) with it. This is the place that keeps the boot loader part of the operating system. As a consequence the victims cannot boot their computers and are blackmailed by the hackers to pay the ransom fine.

The following message is written to the screen:

Your disk have a lock!!!Please enter the unlock password
yao mi ma gei 30 yuan jia qq

How to Remove MBRlock Virus and Restore Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of MBRlock ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by encrypted Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share