Security researchers found a new ransomware called RedBoot, which encrypts files on an infected computer, replaces the Master Boot Record (MBR) of the system drive and modifies the partition table.
According to the experts, it is impossible to input a decryption key to restore the MBR and the partition table, suggesting that the new ransomware may be a wiper.
Once the user executes RedBoot it will extract 5 other files into a random folder in the directory containing the launcher. The five files are the following:
- boot.asm. – it is an assembly file that will be compiled into the new master boot record. When the boot.asm has been compiled, it will generate the boot.bin file.
- assembler.exe – it is a renamed copy of nasm.exe that is used to compile the boot.asm assembly file into the master boot record boot.bin file.
- main.exe – It is the user mode encrypter that will encrypt the files on the computer.
- overwrite.exe. – It is used to overwrite the master boot record with the newly compiled boot.bin file.
- protect.exe – It is the executable will terminate and prevent various programs from running such as the task manager and processhacker.
When the files are extracted, the main launcher will compile the boot.asm file generating the boot.bin. Then the launcher executes the following command:
[Downloaded_Folder]\70281251\assembler.exe” -f bin “[Downloaded_Folder]\70281251\boot.asm” -o “[Downloaded_Folder]\70281251\boot.bin”
After boot.bin is compiled, the launcher will delete the boot.asm and assembly.exe files. Then it will use the overwrite.exe program to overwrite the current master boot record with the compiled boot.bin using this command:
At the time when the ransomware starts the encryption process, the launcher will start the main.exe which will scan the machine for files to encrypt appending the .locked extension onto each encrypted file.
The main.exe program will also execute the protect.exe component in order to stop the execution of any software that can halt the infection. After all the files are encrypted, RedBoot will reboot the PC and a ransom note will be displayed.
The ransom note tells the victims to send their ID key to the email recipient firstname.lastname@example.org in order to get payment instructions.
The problem here is that even if the victim has contacted the developer and paid the ransom, the hard drive may not be recoverable because the RedBoot ransomware permanently modifies the partition table.
“While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.” security experts say.
The researchers also suggest that RedBoot is a wiper disguised as a ransomware, though there is a possibility that the developer has made some mistakes while developing the malware.