Tuesday, November 30, 2010

New 'Seftad' Ransomware Encrypts Drives Demands $100 For Fix

There are several new version of the GpCode ransomware running wild around the web these days however there is a new even nastier piece of code that researchers have discovered that is even more alarming. The new MBR-infecting ransomware known as Seftad overwrites the master boot record on infected machines telling victims that their hard drives have been encrypted and demands a payment of $100 to reverse the damage.

This malware which was first detected and analyzed by Kaspersky Lab malware analyst Denis Maslennikovas shows as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a. This ransomware is downloaded by Trojan.Win32.Oficla.cw. If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted and the following message appears on the screen:

Entering an incorrect password three times will cause the PC to reboot a second time and display the same message again.

"If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’. If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10," Maslennikov said.

This new approach at attacking the master boot record (MBR) is something new that we haven't seen from ransomware in the past. Several variants include the new GpCode utilizes actual encryption (GpCode is now using theAES 256 and RSA 1024 encryption algorithms) but doesn't attack the boot records. Since the MBR is the first section of a users hard drive to be loaded damaging the MBR can be extremely difficult to reverse.

As of now its unclear if a user can use their installation media and run the FIXMBR command or if running a repair install or other work arounds will work.


  1. Anonymous11:42 PM

    I managed to use Windows repair and run boot and mbr fix successfully.

  2. Jimmy Chan5:09 AM

    I remove this RSA 1024 trojan as follows:
    1.Right click on your monitor screen. Click on
    2.Select desktop. A new item is shown on your list of wallpaper.This item is your wallpaper with the ransom message.
    3. Click on browse to show program. Right click on every item and select delete. When all items are deleted, reinstall your wallpaper. Done!

  3. Jimmy I see next to no chance that that would actually work.


All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you