Security researchers have discovered a new malware scam capable of locking Window users out of their PCs – the first of its kind to play on fears surrounding the ongoing pandemic.
Referred to as MBRLockers, this group of malware substitutes the Windows Master Boot Record (MBR), preventing the operating system from starting up as usual.
Victims are typically presented with a ransom note demanding an unlock key is purchased via the dark web, or simply a derisive message from the hacker.
According to MalwareHunterTeam, the group responsible for the discovery, the new malware is being diffused as executable file COVID-19.exe.
The new coronavirus-themed malware reportedly executes a batch file that shifts various data, configures certain programs to open on boot and then forces Windows to restart.
Once the PC has restarted for the first time, the user is met with an image of the coronavirus and a jeering message: “coronavirus has infected your PC!”. On every subsequent restart, a plain-text message reads “Your Computer Has Been Trashed (sic)”.
An investigation by cybersecurity firms Avast and SonicWall found the malware also executes a program that backs up the original MBR to a separate location and replaces it with a custom version, responsible for the threatening messages at restart.
The Avast investigation also uncovered a bypass included in the custom MBR that allows affected users to revert to the original and boot Windows as normal. This can be performed by pressing the CTRL, ALT and ESC keys simultaneously.
Opportunist cybercriminals of all varieties are capitalising on panic surrounding the coronavirus. Recent weeks have seen ransomware and DDoS attacks on healthcare institutions, including the World Health Organisation, and a multitude of virus-themed phishing scams enter circulation.