SentinelOne Labs Ransomware
Given how severe and dangerous computer viruses and ransomware can be, it’s surprising to find out that pranksters do exist within that world. One such prankster recently emerged with a virus that aims to lock down computers and then place the blame on respected cybersecurity researchers. The virus – called the SentinelOne ransomware or MBRLocker – places the blame on Vitali Kremez of SentinelOne in particular.
Someone will download what appears to be completely innocent software from a third-party site, or they will download an illegitimate crack for pirated software. After downloading and using the program, they suddenly discover that their computer has been infected – apparently by Vitali Kremez and the MalwareHunterTeam; two of the most famous names in malware research and eradication. It goes without saying that they have absolutely nothing to do with the ransomware.
The profanity-laden ransom note for the virus appears below;
Hello, my name is Vitali Kremez. I infected your stupid PC. you idiot.
Write me in twitter @VK_intel if you want your computer back
If I do not answer, write my husband twitter.com/malwrhunterteam
To protect your ***ing computer in future install SentinelOne antivirus. I work here as head of labs.
Vitali Kremez Inc. () 2020
The infections are known as MBRLockers because of how they interact with the Master Boot Record of computers. They interact with the MBR to prevent the operating system from starting up properly. This kind of attack has been seen in other ransomware and wipers, such as the Petya virus.
SentinelOne themselves have spoken out about the destructive "prank" and reassured people that neither they nor Kremez had anything to do with it. The company issued a release that several MBRLocker malware had been seen over April. While most of the strains are just pranks, some of them appear to be genuine threats. Then there was the issue of the one assigned to Kremez.
What stands out about this particular attack is that the original creator of the virus has made things personal. Not only does the ransom note use Kremez’s name, but it also includes personal contact information for the researcher. The "husband" comment in the note appears to be a reference to Kremez’s friends and teammates at MalwareHunterTeam.
SentinelOne says they don’t usually comment on stories like this, but the issue was so personal and so widely reported they had to. The firm commented that "neither SentinelOne nor any of the named researchers are in any way associated with this destructive prank."
In general, it isn’t too difficult to get around an MBRLocker as long as the user has an extra bootable device to hand. These viruses are designed to prevent the MBR from working properly so the computer can’t boot, even in safe mode. Having something else the computer can boot from means you can start your computer, as usual, delete the virus and restore any lost data from a backup.
With that said, this new variation appears more destructive than others. Kremez himself has looked into the ransomware and says it wipes the full 512 bytes of the MBR table. Kremez believes that the only way victims can restore their computer is to do a full restore.
Pranks like this are designed to garner publicity and thrills for the attacker, but, like any other kind of virus, they create nothing but misery for victims. One thing professional cybercriminals and pranksters like this have in common is their disregard for their victims and the damage they cause.