FANDOM


DiskWriter or UselessDisk is a MBR bootlocker that overwrites the MBR of victims' computers and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again.

Payload

Transmission

This infection is being distributed under the DiskWriter.exe or UselessDisk.exe filenames. The sample also includes a PDB string of E:\Debug\UselessDisk.pdb, which indicates that the developer named this infection UselessDisk.

Infection

When this infection is executed it will replace the MBR with its own bootloader and then reboots the computer using the "shutdown -r -t 0" command. Once the computer is rebooted, it will display the ransom screen. 

The system gets stuck at Windows boot and, instead of displaying an endless loop or regular Windows boot screen, it generates the following UselessDisk ransom screen:

                   Ooops,your important files are encrypted.                    
If you see this text,then your files are not accessible,because they've been    
encrypted.Maybe you're busy looking for a way to recover your files,but don't   
waste your time.Nobody can recover your files without our decryption service.   
In order to decrypt.Please Send $300 worth of Bitcoin to this address:          
1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco

The ransom screen does not contain explicit information on how to recover files encrypted by DiskWriter ransomware. It does not include the name of a virus or a personal victim's ID that would let criminals to recognize who transferred the payment. Crooks provide indicate the amount of the ransom (300 USD) and ask to transfer it in Bitcoins via the 1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco wallet.

Community content is available under CC-BY-SA unless otherwise noted.