Back to SonicALERT
The newly discovered RedBoot ransomware can alter Master Boot Records.(Oct 20, 2017)
Description
The SonicWall Capture Labs Threat Research Team observed reports of a new
variant family of RedBoot Ransomware [RedBoot.A] actively spreading in the wild.
RedBoot
encrypts the victims files with a strong encryption algorithm, replaces the
Master Boot Record (MBR ) of the system drive and then then modifies the
partition table in some manner until the victim pays a fee to get them
back.
Infection Cycle:
The Malware adds the following files to the system:
-
Malware.exe
-
%Userprofile%\[Random Numbers]\ assembler.exe
-
%Userprofile%\[Random Numbers]\boot.asm
-
%Userprofile%\[Random Numbers]\boot.bin
-
%Userprofile%\[Random Numbers]\overwrite.exe
-
%Userprofile%\[Random Numbers]\main.exe
-
%Userprofile%\[Random Numbers]\protect.exe
Once the computer is compromised, the Malware copies its own executable
file to %Userprofile% folder and compiles boot.bin.
The Malware deletes the boot.asm and assembly.exe files from the computer.
The Malware uses the overwrite.exe program to overwrite the computer's MBR
with the compiled boot.bin using following commands:
While Malware.exe is encrypting files, it will encrypt all files and append
the .locked extension onto each encrypted file's filename.
After Malware encrypts all personal documents and restarts the computer the
new MBR simply boots to a red screen containing a message reporting that
the computer has been encrypted and to contact its developer for unlock
instructions.
After our analysis we have notice that the Malware doesn't provide a way to
input a key to restore the MBR and partition table, It is currently unclear
whether RedBoot is yet another wiper masquerading as ransomware, just as
NotPetya, or if it is just poorly coded malware.
We have been monitoring varying hits over the past few days for the
signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the
following signature:
Back to top
Back to SonicALERT