RedBoot is a ransomware that runs on Microsoft Windows. When executed, it will encrypt files on the computer, replace the Master Boot Record of the system drive. As the ransomware does not provide a way to input a key to restore the MBR and encrypted files, unless the ransomware developer has a bootable decryptor, this malware is deemed to be a wiper.
When the RedBoot ransomware is executed, it will extract 5 other files into a random folder in the User Profile folder of the current user. These files are "boot.asm", "assembler.exe", "main.exe", "overwrite.exe" and "protect.exe", and are described below:
- "assembler.exe" - This is a renamed copy of a legitimate assembler called NASM, that is used to compile the "boot.asm" assembly file into the malware Master Boot Record "boot.bin" file.
- "boot.asm" - This file is an assembly file that has been compiled into the new MBR of the infected machine.
- "boot.bin" - When the "boot.asm" has been compiled by "assembly.exe", it will generate the "boot.bin" file.
- "overwrite.exe" - This program is used to overwrite the existing master boot record, or MBR, with the newly compiled "boot.bin".
- "main.exe" - This is a user mode file encryptor that will encrypt the files on the computer.
- "protect.exe" - This executable will terminate and prevent various programs from running. This includes Task Manager (taskmgr.exe) and Process Hacker.
Once the files are extracted, the main launcher will now execute the following command to compile the "boot.asm" file into the "boot.bin" file:
[UserProfile]\70281251\assembler.exe" -f bin "[UserProfile]\70281251\boot.asm" -o "[UserProfile]\70281251\boot.bin"
Once "boot.bin" has been compiled, the launcher will delete the "boot.asm" and "assembly.exe" files from the computer. It will then use the "overwrite.exe" program to overwrite the computer's current Master Boot Record with the compiled "boot.bin" using this command:
The launcher will now start the "main.exe" program, which will scan the computer for files to encrypt. This program will also launch the "protect.exe" program in order to block programs that may be used to analyze or stop the infection.
While "main.exe" is encrypting files, it will encrypt files and it will append to them the ".locked" extension onto each encrypted file's filename. When it is done performing the file encryption, it will reboot the computer and instead of starting Microsoft Windows, the MBR will instead display a ransom note being generated by the new Master Boot Record. This component will encrypt every file with these extensions, in the "Desktop" folder, in the "Downloads" folder, in the "Music" folder, in the "Pictures" folder and in the "Videos" folder in the current User Profile folder.
.aif .aifc .aiff .asf .asx .au .bas .bat .bmp .cmd .com .config .cpl .dib .doc .docx .dot .dvr-ms .emf .exe .gif .hta .htm .html .ico .ini .ivf .jfif .jpe .jpeg .jpg .m1v .m3u .mht .mid .midi .mp2 .mp2v .mp3 .mpa .mpe .mpeg .mpg .mpv2 .msilnk .pdb .pdf .pif .png .pot .pps .ppt .pptx .reg .rle .rmi .rtf .scr .search-ms .snd .tif .tiff .txt .vb .wav .wax .wm .wma .wmf .wmv .wmx .wvx .xbap .xls .xlsx .xlt .xlw .xml .xps .zip
This ransom screen will instruct the victim to send their ID key to the developer at "firstname.lastname@example.org" in order to get payment instructions. This malware doesn't encrypt MFT, thus, making the MBR payload a message (that can be fixed by using the "fixmbr C:" command).
While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it. This means that even if the victim contacted the developer and paid the ransom, the hard drive may not be recoverable, thus, making it a wiper trojan.