Malware News Ransomware or Wiper? RedBoot Encrypts Files but also Modifies Partition Table

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
A new bootlocker ransomware was discovered by Malware Blocker called RedBoot that when executed will encrypt files on the computer, replace the MBR, or Master Boot Record, of the system drive and then then modifies the partition table in some manner.

As the ransomware does not provide a way to input a key to restore the MBR and partition table, unless the ransomware developer has a bootable decryptor this malware may be a wiper.

The RedBoot Encryption Process
When the RedBoot ransomware, which is a compiled AutoIT executable, is executed it will extract 5 other files into a random folder in the directory that the launcher was executed. These files are boot.asm, assembler.exe, main.exe, overwrite.exe, and protect.exe and are described below.

....
 
  • Like
Reactions: Deleted member 65228, tonibalas, AlanOstaszewski and 1 other person
tonibalas

tonibalas

Level 40
Verified
Honorary Member
Top Poster
Well-known
Sep 26, 2014
2,973
Eset is 2/3 on this one.
MBR protection.One thing comes in mind for protecting and i have it installed:D. Shadow Defender;)
 
  • Like
Reactions: Deleted member 65228
D

Deleted member 65228

For anyone interested:

boot_asm.png

Image source: the Bleeping Computer article.

Code: 
BITS 16
ORG 0x7c00

The above is needed because the ASM code is 16-bit (first line) and because the BIOS loads the first boot sector at address 0x7c00 in memory.

Code: 
times 510 - ($-$$) db 0
dw 0xaa55

The above is there to ensure the custom boot sector is the correct size (second to last line), and to provide the boot signature (last line) so the BIOS knows it is bootable.

If anyone is using MBR Filter, you will be protected from attacks like this also (and also Volume Boot Record attacks since MBR Filter supports that too).
 
  • Like
Reactions: silversurfer and tonibalas
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,496
Security News
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
    • Wow
Azov Ransomware is a wiper, destroying data 666 bytes at a time
Replies
0
Views
558
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
nicolaasjan
    • Like
    • Applause
    • +Reputation
Malware News New decryptor for Babuk Tortilla ransomware variant released
Replies
0
Views
1,118
Security News
nicolaasjan
nicolaasjan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top