The newly discovered RedBoot ransomware can alter Master Boot Records.


The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of RedBoot Ransomware [RedBoot.A] actively spreading in the wild.

RedBoot encrypts the victims files with a strong encryption algorithm, replaces the Master Boot Record (MBR ) of the system drive and then then modifies the partition table in some manner until the victim pays a fee to get them back.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%[Random Numbers] assembler.exe

      • Compiler, Compile the boot.asm assembly file into the MBR boot.bin file.

    • %Userprofile%[Random Numbers]boot.asm

    • %Userprofile%[Random Numbers]boot.bin

    • %Userprofile%[Random Numbers]overwrite.exe

      • Re-write existing MBR, with the newly compiled boot.bin.

    • %Userprofile%[Random Numbers]main.exe

      • Encryptor Program.

    • %Userprofile%[Random Numbers]protect.exe

      • Terminate process analyze programs such as task manager from running

Once the computer is compromised, the Malware copies its own executable file to %Userprofile% folder and compiles boot.bin.

The Malware deletes the boot.asm and assembly.exe files from the computer.

The Malware uses the overwrite.exe program to overwrite the computer’s MBR with the compiled boot.bin using following commands:

While Malware.exe is encrypting files, it will encrypt all files and append the .locked extension onto each encrypted file’s filename.

After Malware encrypts all personal documents and restarts the computer the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

After our analysis we have notice that the Malware doesn’t provide a way to input a key to restore the MBR and partition table, It is currently unclear whether RedBoot is yet another wiper masquerading as ransomware, just as NotPetya, or if it is just poorly coded malware.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.