It ransoms your data by encrypting it, and changes the MBR to display a ransom message.
You could use this message for plausible deniability.
I wrote the following code to display the same message as Win32/RansomSeftad:
; Code for MBR to display message & halt ; If you adapt this program, make sure the binary code is not longer than 440 bytes (MBR code limit) ; Written for NASM assembler (http://www.nasm.us) by Didier Stevens ; https://DidierStevens.com ; Use at your own risk ; ; History: ; 2010/12/02: start org 0x7C00 START: xor ax, ax mov ds, ax mov ss, ax mov sp, START lea si, [HELLO] xor bx, bx mov ah, 0Eh cld PRINT_LOOP: lodsb test al, al jz HALT int 10h jmp PRINT_LOOP HALT: cli hlt HELLO: db "Your PC is blocked.", 0dh, 0ah db "All the hard drives were encrypted.", 0dh, 0ah db "Browse www.safe-data.ru to get an access to your system and files.", 0dh, 0ah db "Any attempt to restore the drives using other way will", 0dh, 0ah db "lead to inevitable data loss !!!", 0dh, 0ah db "Please remember Your ID: 773921,", 0dh, 0ah db "with its help your sign-on password will be generated.Enter password:" db 0
If you want to change the message, change the strings after HELLO. Don't forget to terminate your message with byte 0x00.
I'm not going to explain how you change the code in your MBR. If you don't know how to do this, it's very likely you'll corrupt the MBR and make your machine unbootable.
Test this first in a virtual machine you can miss, and if you do it on a real machine, do a full disk backup first and test your restore procedure first.
I only tested this in a virtual machine.
If you know how to change your MBR: don't forget to backup your original MBR first.