RedBoot Ransomware Operates as a Wiper


Security researchers found a new ransomware called RedBoot, which encrypts files on an infected computer, replaces the Master Boot Record (MBR) of the system drive and modifies the partition table.

According to the experts, it is impossible to input a decryption key to restore the MBR and the partition table, suggesting that the new ransomware may be a wiper.

Once the user executes RedBoot it will extract 5 other files into a random folder in the directory containing the launcher. The five files are the following:

  • boot.asm. – it is an assembly file that will be compiled into the new master boot record. When the boot.asm has been compiled, it will generate the boot.bin file.
  • assembler.exe – it is a renamed copy of nasm.exe that is used to compile the boot.asm assembly file into the master boot record boot.bin file.
  • main.exe – It is the user mode encrypter that will encrypt the files on the computer.
  • overwrite.exe. – It is used to overwrite the master boot record with the newly compiled boot.bin file.
  • protect.exe – It is the executable will terminate and prevent various programs from running such as the task manager and processhacker.

When the files are extracted, the main launcher will compile the boot.asm file generating the boot.bin. Then the launcher executes the following command:

[Downloaded_Folder]\70281251\assembler.exe” -f bin “[Downloaded_Folder]\70281251\boot.asm” -o “[Downloaded_Folder]\70281251\boot.bin”

After boot.bin is compiled, the launcher will delete the boot.asm and assembly.exe files. Then it will use the overwrite.exe program to overwrite the current master boot record with the compiled boot.bin using this command:

“[Downloaded_Folder]\70945836\overwrite.exe” “[Downloaded_Folder]\70945836\boot.bin”

At the time when the ransomware starts the encryption process, the launcher will start the main.exe which will scan the machine for files to encrypt appending the .locked extension onto each encrypted file.

The main.exe program will also execute the protect.exe component in order to stop the execution of any software that can halt the infection. After all the files are encrypted, RedBoot will reboot the PC and a ransom note will be displayed.

The ransom note tells the victims to send their ID key to the email recipient in order to get payment instructions.

The problem here is that even if the victim has contacted the developer and paid the ransom, the hard drive may not be recoverable because the RedBoot ransomware permanently modifies the partition table.

“While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.” security experts say.

The researchers also suggest that RedBoot is a wiper disguised as a ransomware, though there is a possibility that the developer has made some mistakes while developing the malware.

Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.