Avira TechBlog: We discovered a new ransomware threat which is downloaded by a Trojan of the Oficla family. This downloaded threat replaces the MBR (master boot record) of the hard disk with its own MBR which asks the user for a password and thus blocks the loading of the operating system.

Upon starting the Oficla Trojan and successive execution of the downloaded payload the system will be rebooted and the user will be presented the ransom notice.

screenshot

The notice of the manipulated boot sector claims that all the hard drives were encrypted – this is a lie though; all the files are still intact and can be accessed as usual.

It is interesting that the malicious binary is not crypted or obfuscated at all, even the message which will be placed into the MBR is available in plain-text. This is quite unusual nowadays.

binary

As you can see, the “ID” is not generated in a random way, it’s the same for each infection. Therefore the victims which are infected can use the password “aaaaaaciip” which will restore the original MBR and Windows will start again.

Avira detects the malware as TR/Ransom.Seftad.A. The malicious boot sector is detected as “BOO/Seftad.A”.