The newly discovered RedBoot ransomware can alter Master Boot Records.

October 20, 2017

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of RedBoot Ransomware [RedBoot.A] actively spreading in the wild.

RedBoot encrypts the victims files with a strong encryption algorithm, replaces the Master Boot Record (MBR ) of the system drive and then then modifies the partition table in some manner until the victim pays a fee to get them back.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%[Random Numbers] assembler.exe

      • Compiler, Compile the boot.asm assembly file into the MBR boot.bin file.

    • %Userprofile%[Random Numbers]boot.asm

    • %Userprofile%[Random Numbers]boot.bin

    • %Userprofile%[Random Numbers]overwrite.exe

      • Re-write existing MBR, with the newly compiled boot.bin.

    • %Userprofile%[Random Numbers]main.exe

      • Encryptor Program.

    • %Userprofile%[Random Numbers]protect.exe

      • Terminate process analyze programs such as task manager from running

Once the computer is compromised, the Malware copies its own executable file to %Userprofile% folder and compiles boot.bin.

The Malware deletes the boot.asm and assembly.exe files from the computer.

The Malware uses the overwrite.exe program to overwrite the computer's MBR with the compiled boot.bin using following commands:

While Malware.exe is encrypting files, it will encrypt all files and append the .locked extension onto each encrypted file's filename.

After Malware encrypts all personal documents and restarts the computer the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

After our analysis we have notice that the Malware doesn't provide a way to input a key to restore the MBR and partition table, It is currently unclear whether RedBoot is yet another wiper masquerading as ransomware, just as NotPetya, or if it is just poorly coded malware.