[BUDD4H]

Hi,

i saw many great posts on the MBRlockers from different users here.

i also saw some guys posting samples with the unlocking code and,
noticed that some mbrlockers use encryptions in some of the posts, but if some users get infected and they use a tool like hitman pro with the 'bypass mbr option',
are those users then able to access their files yet? without using the right unlocking code?

i guess you guys can shine a more detailed light on this?

thanks in advance.

Budd4h.

[EP_X0FF]

Hello,

noticed that some mbrlockers use encryptions in some of the posts

Point to this post.

MBRlock is scareware type of ransom. It replace mbr sector with it own, saving original at different sector somewhere, fixmbr usually won't help because (again usually) partition table is only in original mbr copy. However partition recovery tool should be able to fix this. Without AV or any other removal tool.

[RageMachine]

Hi,
but if some users get infected and they use a tool like hitman pro with the 'bypass mbr option',

This may work or may go wrong.. I don't think I've seen an instance of HMPro being able to actually skip over an MBR infection. I've stumbled across a lot of VBR infections which place code in between the MBR and Windows by loading a certain partition located at X offset, which jumps back to the windows partition after processing - usually these can be bypassed by repairing the MBRs active partition, but sometimes it can get a little messy with OEM partitions thrown in since the boot partition must be set to the system one, not the actual OS partition.

[BUDD4H]

hi,

thanks for your information, very well explained and good to understand. (+rep)

i'm pretty new to this ransomware thing, so yeah that may explain it. :roll:

keep it up, always in to learn new stuff.