SentinelOne researcher trolled in new MBRLocker ransomware campaign

Malware was released using the researcher’s name as author, alongside his contact details.

Open-source security: More vulnerabilities are being found than ever before
1:09

SentinelOne has spoken out after an "attention-seeking prankster" trolled one of the firm's security researchers with the release of a new ransomware strain. 

On Wednesday, the cybersecurity firm said that new MBRLocker malware variants have been released in a consistent wave over April, and while many of them appear to be little more than "pranks" rather than serious attempts at deploying ransomware capable of generating a profit, one particular release caught the company's attention. 

SentinelOne says that a new MBRLocker variant has been spotted into the wild using researcher Vitali Kremez's name in what is likely an attempt to bait the team. 

See also: Zoom security: Your meetings will be safe and secure if you do these 10 things

The ransomware note is laced with profanity and calls the victim a "stupid idiot," demanding that they message Vitali Kremez's Twitter account to have their PC restored. 

"To protect your f*cking computer in future install SentinelOne antivirus," the note says. "I work here as head of labs."

What makes the situation unusual, however, is that the individual behind the malware made things personal by also releasing Kremez' personal contact details at the same time, according to the company. The note urged victims to buy 'his' antivirus software for a decryption key.

@MalwareHunterTeam researchers were also taunted and named as Kremez' "husband" in the note.  

"While we wouldn't ordinarily comment on such stunts, the issue has already been widely reported," the company says. "Needless to say, neither SentinelOne nor any of the named researchers are in any way associated with this destructive prank."

CNET: Zoom: Hackers reportedly put $500K price tag on latest security exploit

MBRLocker, also known as DexLocker, is a ransomware and wiper malware family that attempts to compromise an infected machine's Master Boot Record (MBR). A malicious BIOS is then introduced which asks for a ransom in return for restored access. 

This malware is commonly spread through warez and cracked software. 

MBR-targeting malware aims to prevent users from being able to boot up, even in Safe Mode, but with an extra bootable device, it is often relatively simple to unlock. Restoring from a backup is generally recommended.  

TechRepublic: Scammers exploit coronavirus for Business Email Compromise campaigns

In this case, however, the Kremez-signed malware appears to be more destructive. According to the researcher, the ransomware wipes the full 512 bytes of MBR table, including the partition table, and so it is likely a full restore will be one of the few options available to victims. 

screenshot-2020-04-16-at-12-37-37.png

"Crude wiper malware like the one we've seen this week is just a destructive prank that yields only two things for the perpetrators: thrills and publicity," SentinelOne says. "For victims without the protection of a modern security solution, it's nothing but misery. Therein lies the one thing that such pranksters do have in common with professional cybercriminals: a lack of concern for the damage they do."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0