A new bootlocker ransomware was discovered by Malware Blocker called RedBoot that when executed will encrypt files on the computer, replace the MBR, (Master Boot Record), of the system drive and then then modifies the partition table in some manner.
As the ransomware does not provide a way to input a key to restore the MBR and partition table, until unless the ransomware developer has a bootable decryptor for this malware.
The RedBoot Encryption Process
When the RedBoot ransomware, which is a compiled AutoIT executable, is executed it will extract 5 other files into a random folder in the directory that the launcher was executed. These files are boot.asm, assembler.exe, main.exe, overwrite.exe, and protect.exe and are described below.
assembler.exe – This is a renamed copy of nasm.exe that is used to compile the boot.asm assembly file into the master boot record boot.bin file.
boot.asm – This file is an assembly file that will be compiled into the new master boot record.
boot.bin – When the boot.asm has been compiled by assembly.exe, it will generate the boot.bin file.
overwrite.exe – This program is used to overwrite the existing master boot record, or MBR, with the newly compiled boot.bin.
main.exe – This is the user mode encrypter that will encrypt the files on the computer.
protect.exe – This executable will terminate and prevent various programs from running. This includes task manager and processhacker.
Once the files are extracted, the main launcher will now execute the following command to compile the boot.asm file into the boot.bin file.
[Downloaded_Folder]\70281251\assembler.exe" -f bin "[Downloaded_Folder]\70281251\boot.asm" -o "[Downloaded_Folder]\70281251\boot.bin"
Once boot.bin has been compiled, the launcher will delete the boot.asm and assembly.exe files from the computer. It will then use the overwrite.exe program to overwrite the computer’s current master boot record with the compiled boot.bin using this command.
The launcher will now start the main.exe program, which will scan the computer for files to encrypt. The main.exe program will also launch the protect.exe program in order to block programs that may be used to analyze or stop the infection.
While main.exe is encrypting files, it will encrypt executables, dlls, and normal data files and append the .locked extension onto each encrypted file’s filename.
When it is done performing the file encryption, it will now reboot the computer and instead of starting Windows, will instead display a ransom note being generated by the new master boot record.
This ransom screen will instruct the victim to send their ID key to the developer at firstname.lastname@example.org in order to get payment instructions.
While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.
This means that even if the victim contacted the developer and paid the ransom, the hard drive may not be recoverable. As this ransomware is further analyzed, if anything changes with this analysis I will be sure to update the article.
Is it a buggy ransomware or a wiper?
While this ransomware does perform standard user mode encryption, the modifying of the partition table and no way of inputting a key to recover it, may indicate that this is a wiper disguised as a ransomware. Then again, since the developer used a scripting language like AutoIT to develop this ransomware, it could very well be just a buggy and poorly coded ransomware.