Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

RedBoot Ransomware Modifies Master Boot Record

A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.

A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.

Dubbed RedBoot, the malware was clearly designed for destructive purposes, as even the file-encryption operation is of a similar nature: it encrypts executables and DLLs along with normal data files, thus rendering the infected machine useless. Furthermore, by replacing the MBR, it prevents the computer from loading Windows.

The malware’s operations are similar to those of the Petya-Mischa pair – Petya would replace the MBR while Mischa would encrypt users’ files – which later evolved into the Goldeneye variant. This year, a global attack was using a destructive wiper masquerading as Petya.

Once executed on the target machine, the new RedBoot ransomware extracts 5 other files into a random folder in the same directory as the launcher: assembler.exe, boot.asm, main.exe, overwrite.exe, and protect.exe, BleepingComputer’s Lawrence Abrams notes.

assembler.exe, which is a renamed copy of nasm.exe, is used to compile the boot.asm assembly file into a new MBR boot.bin file. Next, overwrite.exe is used to overwrite the existing boot.bin with the newly compiled one.

The user mode encryption operation is performed by the main.exe file, while protect.exe was designed to terminate and prevent various programs from running on the infected machine, including Task Manager and Process Hacker.

After the files have been extracted, the launcher executes the necessary command to the new boot.bin file, and then deletes the boot.asm and assembly.exe files. Next, it overwrites boot.bin, and then starts main.exe to scan the computer for files to encrypt. protect.exe is also launched to prevent other programs from blocking or analyzing the infection.

The ransomware was designed to encrypt executables, DLLs, and normal data files on the infected machine, and appends the .locked extension to each of the encrypted files. As soon as the encryption process has been completed, the malware reboots the machine and the new master boot record displays a ransom note instead of loading Windows.

Although the ransom note claims that victims can recover their data if they contact the malware author at [email protected] to receive payment instructions, the researchers analyzing the threat suggest that this might not be the case.

Apparently, the malware “may also be modifying the partition table without providing a method to restore it,” Abrams says. Because of that, even if the victim contacts the malware author and pays the ransom, the hard drive might not be recoverable, the researcher explains.

It is currently unclear whether RedBoot is yet another wiper masquerading as ransomware, just as NotPetya, or if it is just poorly coded malware. The threat was compiled using AutoIT, which could suggest that an error resulted in it modifying the partition table without providing a way to input a key to recover it.

Related: NotPetya – Destructive Wiper Disguised as Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.