MBRCodes Ransomware

The MBRCodes Ransomware is an encryption ransomware Trojan that seems to be a variant of the Xorist Ransomware, a famous ransomware family. The MBRCodes Ransomware was first observed in the last days of January 2019 and executes a typical version of the encryption ransomware tactic. The MBRCodes Ransomware, like most encryption ransomware Trojans, is designed to take the victim's files hostage and then demand a ransom payment.

How the MBRCodes Ransomware Carries Out Its Attack

The MBRCodes Ransomware is generally delivered to the victims' computers through corrupted spam email attachments. Once the MBRCodes Ransomware has been installed, the MBRCodes Ransomware will use a strong encryption algorithm to make the victim's files inaccessible. The MBRCodes Ransomware targets the user-generated files, which may include files with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The MBRCodes Ransomware also will prevent the victims from recovering by deleting the Shadow Volume Copies of the compromised data and the Windows System Restore points.

The MBRCodes Ransomware's Ransom Demands

The MBRCodes Ransomware seems to target Portuguese speakers. The MBRCodes Ransomware uses a ransom note written in Portuguese in its attack, to extort the victim and demand a ransom payment. The MBRCodes Ransomware ransom note is contained in a text file named 'HOW TO DECRYPT FILES.txt' that contains the following text written in Portuguese:

'Seus arquivos foram compactados!
Para recupera-los, voce precisa de uma chave de segurança.
Caso tenha real interesse na recuperação deles envie seu código para consulta: 14rescryptedsadfg
Para o email: mbrcodes@india.com
alterações no sistema operacional resultará imediatamente na perca total dos dados!
Seu contato será respondido o mais rápido possível.'

The above text translated into English reads as follows:

'Your files have been compressed!
To recover them, you need a security key.
If you have a real interest in their recovery, send your code for consultation:
[random characters]
The email is: mbrcodes@india.com
changes to the operating system will immediately result in total loss of data!
Your contact email will be responded to as soon as possible.'

PC security researchers instruct computer users not to contact the criminals responsible for the MBRCodes Ransomware attack. InsteadPC users are advised to take steps to protect their data preemptively. The best protection against threats like the MBRCodes Ransomware is to have backup copies of all files and store these backup copies in a safe, external location. A combination of data backups and a strong security program can help prevent the MBRCodes Ransomware from being installed, as well as limit the extent of the damage done by threats like the MBRCodes Ransomware if they do manage to compromise the victim's data.