Yesterday, researchers from Cisco reported that the new free tool MBRFilter, which protects a computer’s MBR sector against unauthorized access, can be used for safeguarding machines against MBR-targeting malware like Satana, Petya, or HDDCryptor ransomware.
In fact, MBRFilter is just an ordinary driver which changes your MBR into a read-only mode and prevents applications from modifying or writing data to that particular section of your hard drive.
MBR is s a special section of hard disk drives which stands for “Master Boot Record”. The place of the MBR is at the beginning of the HDD’s storage space and it keeps information on partitions in a Master File Table component (MFT).
Apart from the above function, the MBR stores the computer’s bootloader, which is an OS component responsible for booting the current OS.
For instance, ransomware like Petya, or other MBR malware (bootkits), forces computers to restart, and during the subsequent reboot process, they write new data to the MBR, adding their own malicious routines.
According to Cisco’s team, the MBRFilter blocks these operations, preventing Petya or other malware from tinkering with a machine’s boot record.
Cisco has open-sourced the MBRFilter source code on GitHub. Apart from the code, pre-compiled MBRFilter driver installers for Windows 32-bit and 64-bit platforms are also available for download.
Some time ago, the Cisco Talos experts had released a tool which helps security researchers extract configuration details for the Locky ransomware. The tool is called LockyDump and it can be used for tracking ransomware campaigns.
