RedBoot ransomware also modifies partition table, is it a wiper?

The RedBoot ransomware encrypts files on the infected computer, replaces the Master Boot Record and then modifies the partition table.

Malware Blocker researcher discovered a new bootlocker ransomware, dubbed RedBoot, that encrypts files on the infected computer, replaces the Master Boot Record (MBR) of the system drive and then modifies the partition table.

The experts noticed that there is no way to input a decryption key to restore the MBR and partition table, a circumstance that suggests this malware may be a wiper.

When the victim executes the RedBoot ransomware it will extract 5 other files into a random folder in the directory containing the launcher.

The five files are:

• boot.asm. – it is an assembly file that will be compiled into the new master boot record. When the boot.asm has been compiled, it will generate the boot.bin file.
• assembler.exe – it is a renamed copy of nasm.exe that is used to compile the boot.asm assembly file into the master boot record boot.bin file.
• main.exe – It is the user mode encrypter that will encrypt the files on the computer
• overwrite.exe. – It is used to overwrite the master boot record with the newly compiled boot.bin file.
• protect.exe – It is the executable will terminate and prevent various programs from running such as the task manager and processhacker.

Once the files are extracted, the main launcher will compile the boot.asm file generating the boot.bin. The launcher executes the following command:

[Downloaded_Folder]\70281251\assembler.exe" -f bin "[Downloaded_Folder]\70281251\boot.asm" -o "[Downloaded_Folder]\70281251\boot.bin"

Once boot.bin has been compiled, the launcher will delete the boot.asm and assembly.exe files, then it will use the overwrite.exe program to overwrite the current master boot record with the compiled boot.bin using this command.

"[Downloaded_Folder]\70945836\overwrite.exe" "[Downloaded_Folder]\70945836\boot.bin"

At this point, the malware starts the encryption process, the launcher will start the main.exe that will scan the machine for files to encrypt appending the .locked extension onto each encrypted file. The main.exe program will also execute the protect.exe component to stop the execution of any software that can halt the infection.

This ransom note provides the instruction to the victims to send their ID key to the email recipient redboot@memeware.net in order to get payment instructions.

Unfortunately, even if the victim contacted the developer and paid the ransom, the hard drive may not be recoverable because the RedBoot ransomware permanently modifies the partition table.

“While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.” reads the analysis published by Lawrence Abrams.

Experts speculate the malware is a wiper disguised as a ransomware, but we cannot exclude that the author simply made some errors in the development phase.

“While this ransomware does perform standard user mode encryption, the modifying of the partition table and no way of inputting a key to recover it, may indicate that this is a wiper disguised as a ransomware. Then again, since the developer used a scripting language like AutoIT to develop this ransomware, it could very well be just a buggy and poorly coded ransomware.” concluded Lawrence Abrams.

Give a look at the analysis if you are interested in Indicators of Compromise (IoCs).

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – RedBoot ransomware, malware)

[adrotate banner=”12″]