Cisco’s Talos team released today a new free tool called MBRFilter that protects a computer’s MBR sector against unauthorized access, which can be useful for safeguarding PCs against MBR-targeting malware, such as the Petya, Satana, or HDDCryptor ransomware.
At its core, the tool is nothing more than a driver that changes your MBR into a read-only mode and prevents any application from modifying or writing data to that particular section of your hard drive.
The MBR stands for Master Boot Record and is a special section of all hard disk drives.
The MBR is located right at the beginning of the HDD’s storage space and keeps information on partitions in a component called the MFT, or the Master File Table.
The MBR also stores the computer’s bootloader, an OS component responsible for booting the current OS.
Ransomware such as Petya, or other MBR malware (bootkits), force computers to restart, and during the subsequent reboot process, they write new data to the MBR, adding their own malicious routines.
Cisco says MBRFilter blocks these operations, preventing Petya or other malware from tinkering with a computer’s boot record.
Cisco has open-sourced the MBRFilter source code on GitHub. Pre-compiled MBRFilter driver installers for Windows 32-bit and 64-bit platforms are also available for download. Below is a demo video of MBRFilter in action.
Previously, the Cisco Talos team had released LockyDump, a tool that helps security researchers extract configuration details for the Locky ransomware, which can be useful for tracking ransomware campaigns over time.