A newly discovered ransomware called RedBoot is one of the most dangerous yet. Not only does it encrypt files, it also alters the partition table and the master boot record (MBR) to cause what seems to be permanent damage.
Early research into RedBoot hasn’t turned up a command and control server, nor are ransomers asking for Bitcoin payment. Those facts, along with what looks to be irreparable encryption, is leading some to believe RedBoot is just designed to do damage.
It’s possible that RedBoot is just poorly coded, which is where Lawrence Abrams of Bleeping Computer is leaning.
If you’re worried about catching RedBoot you don’t need to be—yet. RedBoot’s developer contacted Abrams and told him that the current version is a development build. The final version, the developer said, will be out in October.
That’s when you’ll need to start worrying.
How RedBoot destroys computers
RedBoot’s current version comes as a compiled AutoIT executable that extracts into five components: an assembler, a boot.asm that the assembler turns into boot.bin, an overwrite executable that turns boot.bin into the new MBR, an executable that encrypts files, and another executable that prevents programs like Task Manager and Process Hacker from running.
After RedBoot does its work it restarts the computer and the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.
As part of its execution sequence RedBoot also changes the partition table, and Abrams hasn’t discovered a way to reverse it.
Poorly coded or not, RedBoot is a serious threat.
There’s no way of knowing how RedBoot will propagate itself come October, and that’s troubling considering all the damage it could do.
Businesses and individuals concerned about permanent loss of files should ensure workstations are backed up to some form of network or cloud storage, antivirus software definitions are up to date, and users are trained to avoid phishing and other scams.
It’s not often that a serious cyber threat is identified while still in development, nor is it common that the developer lets the world know when it will be released. With that information available it’s important to assess your level of readiness now.
RedBoot’s October release could be inconsequential, or it could be an epidemic that paralyzes businesses and permanently destroys data. Take this opportunity to ensure your place in the percentage of companies that aren’t affected by this highly lethal new form of malware.