Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

RedBoot Ransomware Modifies Master Boot Record

A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.

A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.

Dubbed RedBoot, the malware was clearly designed for destructive purposes, as even the file-encryption operation is of a similar nature: it encrypts executables and DLLs along with normal data files, thus rendering the infected machine useless. Furthermore, by replacing the MBR, it prevents the computer from loading Windows.

The malware’s operations are similar to those of the Petya-Mischa pair – Petya would replace the MBR while Mischa would encrypt users’ files – which later evolved into the Goldeneye variant. This year, a global attack was using a destructive wiper masquerading as Petya.

Once executed on the target machine, the new RedBoot ransomware extracts 5 other files into a random folder in the same directory as the launcher: assembler.exe, boot.asm, main.exe, overwrite.exe, and protect.exe, BleepingComputer’s Lawrence Abrams notes.

assembler.exe, which is a renamed copy of nasm.exe, is used to compile the boot.asm assembly file into a new MBR boot.bin file. Next, overwrite.exe is used to overwrite the existing boot.bin with the newly compiled one.

The user mode encryption operation is performed by the main.exe file, while protect.exe was designed to terminate and prevent various programs from running on the infected machine, including Task Manager and Process Hacker.

After the files have been extracted, the launcher executes the necessary command to the new boot.bin file, and then deletes the boot.asm and assembly.exe files. Next, it overwrites boot.bin, and then starts main.exe to scan the computer for files to encrypt. protect.exe is also launched to prevent other programs from blocking or analyzing the infection.

The ransomware was designed to encrypt executables, DLLs, and normal data files on the infected machine, and appends the .locked extension to each of the encrypted files. As soon as the encryption process has been completed, the malware reboots the machine and the new master boot record displays a ransom note instead of loading Windows.

Although the ransom note claims that victims can recover their data if they contact the malware author at [email protected] to receive payment instructions, the researchers analyzing the threat suggest that this might not be the case.

Apparently, the malware “may also be modifying the partition table without providing a method to restore it,” Abrams says. Because of that, even if the victim contacts the malware author and pays the ransom, the hard drive might not be recoverable, the researcher explains.

It is currently unclear whether RedBoot is yet another wiper masquerading as ransomware, just as NotPetya, or if it is just poorly coded malware. The threat was compiled using AutoIT, which could suggest that an error resulted in it modifying the partition table without providing a way to input a key to recover it.

Related: NotPetya – Destructive Wiper Disguised as Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.