MBRFilter is an open-source security tool developed by Cisco Talos that acts as a signed system driver to place a computer’s Master Boot Record (MBR) into a read-only state. It stops ransomware by blocking unauthorized attempts to modify or overwrite Sector 0 of a disk, which prevents specific malware families from seizing control of the computer’s boot process. How MBRFilter Works
The Master Boot Record (MBR) resides at the very beginning of a hard drive (Sector 0). It holds the critical code required to launch the operating system (the bootloader) and contains the storage drive’s partition tables. MBRFilter stops attacks through the following mechanism:
The Read-Only Barrier: Once installed, MBRFilter functions as a low-level disk filter driver. It actively monitors storage input/output and locks down Sector 0.
Intercepting Writes: If any standard software or running malware attempts to write data to or modify the MBR section, the driver intercepts the malicious request and drops it entirely.
Safe Mode Authorization: The only way a user or legitimate program can alter the MBR after installation is by deliberately booting the PC into Safe Mode, which temporarily opens Sector 0 for modification. How It Stops Ransomware
While typical ransomware encrypts individual target files (like documents or photos), certain devastating strains seek a faster route: locking down the entire machine.
Defeating Boot-Level Ransomware: Rogue software like Petya, Satana, and HDDCryptor bypasses traditional system controls to overwrite the real MBR with a malicious bootloader.
Preventing the Master File Table (MFT) Encryption: In a typical Petya attack, the malware forces a computer crash/reboot. Upon restarting, the malicious MBR code executes before Windows loads, encrypting the Master File Table (the directory index that tells the PC where files live).
Disrupting the Kill Chain: Because MBRFilter keeps Sector 0 write-protected during normal operations, the ransomware is physically blocked from embedding its rogue bootloader. The attack fails to compromise the startup sequence, leaving your filesystem fully intact. Important Caveats
The tool was introduced as a targeted defense strategy during widespread MBR-wiping campaigns. It does not protect against standard, user-space ransomware that leaves the MBR alone and goes straight to encrypting individual files in your Documents folder. Additionally, because it completely locks partition configurations, it can prevent you from initializing or formatting new hard drives unless you manage the driver manually. MBRFilter – Can’t Touch This! – Cisco Talos Blog
Leave a Reply