JustMBR (Partition Wiper) – Malware

Overview

Ransomware has long been a significant threat in the cybersecurity landscape, continually evolving to become more sophisticated and destructive. Among the recent developments in this domain is Master Boot Record (MBR) ransomware. Unlike traditional ransomware, which typically encrypts individual files or entire file systems, MBR ransomware targets the MBR of a computer’s hard drive.

This critical component is responsible for initiating the boot process of the operating system. By compromising the MBR, ransomware attackers can prevent the entire system from booting, thus rendering the computer unusable and its data inaccessible. This shift in attack methodology marks a new frontier in cyber threats, amplifying the potential damage and complexity of ransomware attacks.

Targets

Israeli critical infrastructure, government entities, and large corporations

How they operate

The Master Boot Record (MBR) is a critical part of a computer’s hard drive, containing essential information about the drive’s partitions and instructions for booting the operating system. This small, 512-byte section, created when the hard drive is first partitioned and formatted, plays a vital role in ensuring the computer boots up properly. The MBR comprises three key components: the boot loader, which loads the operating system; the partition table, which details the partitions on the hard drive; and the disk signature, a unique identifier for the hard drive. Given its crucial function, the MBR has become a target for sophisticated types of malware, including ransomware.

Ransomware is a type of malicious software that encrypts a victim’s files, demanding a ransom payment in exchange for the decryption key. In recent years, attackers have developed more sophisticated ransomware that targets the MBR, leading to a type of attack known as a “boot locker” attack. When ransomware infects the MBR, it prevents the computer from booting properly, rendering the system unusable until the ransom is paid. This evolution in ransomware tactics represents a significant threat, as it can completely lock victims out of their systems, making data recovery and normal operations impossible without specialized intervention.

The infection methods for MBR ransomware are varied and can be highly deceptive. One common method involves phishing emails, where attackers send emails with malicious attachments or links that, when clicked, download and execute the ransomware. Another method is through drive-by downloads, where a victim unknowingly visits a compromised website that automatically downloads the ransomware onto their computer. Additionally, attackers can exploit vulnerabilities in software or operating systems to gain access to the MBR and infect it with ransomware. Once inside the system, the ransomware executes its code, often using sophisticated techniques to evade detection by security software.

Upon infection, MBR ransomware alters or encrypts the Master Boot Record, replacing it with its malicious code. This tampering prevents the system from booting normally and instead activates the ransomware’s payload when the computer is restarted. The ransomware then displays a ransom note, demanding payment from the victim in exchange for a decryption key. Often, the system is locked, making it unusable and further pressuring the victim to comply with the demands. While paying the ransom might seem like the quickest way to resolve the issue, it is generally not recommended, as it encourages further criminal activity and does not guarantee that the decryption key will be provided.

MITRE tactics and techniques

Initial Access (TA0001):

Phishing (T1566): Attackers use phishing emails with malicious attachments or links to deliver the ransomware payload.
Drive-by Compromise (T1189): Victims unknowingly visit compromised websites that automatically download ransomware.
Execution (TA0002):

Malicious File Execution (T1204): The ransomware executes upon opening a malicious file or attachment.
User Execution (T1204.002): Execution of malware by tricking the user into running the malicious file.
Persistence (TA0003):

Boot or Logon Autostart Execution (T1547): The ransomware ensures persistence by modifying the MBR, which is executed during the boot process.
Privilege Escalation (TA0004):

Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to gain higher privileges.
Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): Using crypters and packers to evade detection by security software.
Modify Registry (T1112): Changing registry entries to disable security tools or alter system behavior.
Indicator Removal on Host (T1070): Deleting logs and other artifacts to remove traces of the attack.
Credential Access (TA0006):

Credential Dumping (T1003): Accessing stored credentials to further the attack.
Discovery (TA0007):

System Information Discovery (T1082): Gathering information about the system to tailor the attack.
File and Directory Discovery (T1083): Identifying important files and directories to target.
Lateral Movement (TA0008):

Remote File Copy (T1105): Copying malicious files to other systems on the network.
Collection (TA0009):

Data from Local System (T1005): Collecting files and data from the compromised system.
Exfiltration (TA0010):

Exfiltration Over C2 Channel (T1041): Sending collected data to Command and Control servers.
Impact (TA0040):

Data Encrypted for Impact (T1486): Encrypting files and the MBR to render the system unusable until a ransom is paid.
Inhibit System Recovery (T1490): Disabling or deleting system recovery features to prevent the victim from easily restoring the system.

References:

• Bad Karma, No Justice: Void Manticore Destructive Activities in Israel