Just some notes, that may or may not be helpful. Take all the information with a huge pinch of salt, as I have never done much boot loader reversing. Expect inaccuracies and some info may just be plain wrong.
The malicious MBR will essentially read 32 sectors starting from sector 0x22 to address 0x8000 and then continues execution there. The most relevant functions are located at 0x8430 which checks the typed in password as well as 0x8206 which is the decryption routine that is being called if the password passes validation.
Sector 0x36 contains information required by the malicious boot loader. The first byte indicates whether or not the system has been encrypted already. If it is 0, the malware runs the encryption. If it is 1, the system counts as already encrypted. The following 32 bytes are used to derive the XOR key stream that is used to encrypt the system's MFT. After encryption took place, the malware will zero it out and set the first byte to 1. I haven't figured out the exact purpose of the next 8 bytes yet, but after that you will find the payment portal URLs and the ID displayed to the user.
Sector 0x37 contains the first 512 bytes of the XOR key stream that was used to encrypt the MFT. It is obfuscated using XOR 0x37. It will decrypt the first 8 sectors of the MFT, but the key stream changes after 4096 bytes. From what I can tell the permutation depends on the password you type in, so I don't think there is a way to use just the information there without either the password or the 32 byte key from earlier to predict the entire key stream. From the looks of it, the only reason it is there at the moment seems to be to verify whether the typed in password is correct as the first 512 bytes generated by the password are compared to the partial key stream stored here to see if the user put in the correct password.
Sector 0x38 contains a backup of the original MBR, obfuscated using XOR 0x37 again.
Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com