The computer displays a message telling users that they have been infected Vitali Kremez and MalwareHunterTeam, two of the most well-known researchers security. Of course, the two researchers have nothing to do with this Wiper malware.
MBRLocker's full message says:
"Hello, my name is Vitali Kremez. I've infected the idiot computer you. You idiot.
Send me to twitter @ VK_intel if you want your computer back.
If I don't answer, send to twitter.com/malwrhunterteam.
For the protection Install SentinelOne antivirus software on your computer. I work here as head of laboratories.
Vitali Kremez Inc. () 2020 ″.
There is another variant of malware, called “SentinelOne Labs Ransomware” and only accuses Vitali Kremez. This is where their revelation takes place e-mail and Kremez's phone number.
The text of this variant states:
“~ SentinelOne Labs Ransomware ~
Your system was unprotected, so we disabled access to Windows.
You will need to purchase the SentinelOne antivirus to restore your computer.
My name is Vitali Kremez. My contact details are as follows:
Email 1: XXX
Email 2: xxx
After you buy my antivirus, I will send you a password to unlock the computer.
Insert unlock code: _ ”.
These infections are called MBRLocockers, as they replace it “Master boot record” one computer, preventing the startup of the operating system. They then display a message, most likely asking for a ransom.
In this case, it seems that someone hacker wanted to tarnish the name of Kremez and MalwareHunterTeam. A kind of prank.
Neither of the two researchers is involved in any of these ways attacks.
Computer access can be recovered
Recently, a number of new MBRLockers have appeared that seem to be created for "fun" or as part of a "prank".
Recently, various MBRLockers were created using a publicly available tool in YouTube and Discord. It is believed that this tool was also used for the wiper malware that blamed Kremez and MalwareHunterTeam.
When creating MBRLocker with this tool, malware first does one backup the original MBR of the computer to a secure location.
If this wiper malware uses the same MBRLocker builder, then it may be possible to recover the MBR, and therefore recover the access to computer.
In one sample, it was possible to restore the MBR by simultaneously pressing the CTRL + ALT + ESC keys. We do not yet know if this method is effective in this case as well.