‘Seftad’ Ransomware Encrypts Drives Demands $100 For Fix
There are several new version of the GpCode ransomware running wild around the web these days however there is a new even nastier piece of code that researchers have discovered that is even more alarming. The new MBR-infecting ransomware known as Seftad overwrites the master boot record on infected machines telling victims that their hard drives have been encrypted and demands a payment of $100 to reverse the damage.
This malware which was first detected and analyzed by Kaspersky Lab malware analyst Denis Maslennikovas shows as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a. This ransomware is downloaded by Trojan.Win32.Oficla.cw. If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted.
This new approach at attacking the master boot record (MBR) is something new that we haven’t seen from ransomware in the past. Several variants include the new GpCode utilizes actual encryption (GpCode is now using theAES 256 and RSA 1024 encryption algorithms) but doesn’t attack the boot records. Since the MBR is the first section of a users hard drive to be loaded damaging the MBR can be extremely difficult to reverse.
