Anti-virus experts at Trend Micro have discovered ransomware which blocks systems from booting. In contrast to the localised trojans, which are widely spread around Europe, it does so by inserting itself into the master boot record (MBR). It then restarts the system and instructs the user to pay a ransom of 920 Ukrainian hryvnia (equivalent to about 90 euros) to the criminals via payment service QIWI.
If victims pay up, the criminals send them a code to unlock their computers. Users can, however, save themselves 920 hryvnia by following the experts’ instructions for removing the infection. This essentially consists of running the recovery console from the Windows Installation DVD and restoring the original MBR using the fixmbr command.
According to Trend Micro, the virus is spread via crafted web sites or is injected onto systems by other malware. Malware which overwrites the MBR to prevent booting was discovered in early 2010, though it did not demand a ransom. There are dozens of versions of the BKA-style trojans in the wild, most of which do not corrupt the MBR, relying instead on autostart or special registry entries to hook themselves into the system.