A new ransomware called RedBoot is one of the most dangerous yet. It does not only encrypt files, it also alters the partition table and the master boot record to cause what seems to be permanent damage.
Early research into RedBoot hasn’t turned up a command and control server, nor are people behind this asking for Bitcoin payment. Those facts, along with what looks to be irreparable encryption, is leading some to believe RedBoot is just designed to do damage.
It’s possible that RedBoot is just poorly coded, which is where Lawrence Abrams of Bleeping Computer is pointing to.
We need to get worried about catching RedBoot as the developer of the ransomware contacted Abrams and told him that the current version is a development build. The final version, the developer said, will be out this October.
That’s why we need to start worrying.
How does RedBoot destroys computers
RedBoot’s current version comes as a compiled AutoIT executable that extracts into five components: an assembler, a boot.asm that the assembler turns into boot.bin, an overwrite executable that turns boot.bin into the new MBR, an executable that encrypts files, and another executable that prevents programs like Task Manager and Process Hacker from running.
After RedBoot does its work it restarts the computer and the new Master Boot Record simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.
Image: Bleeping Computer
As part of its execution sequence RedBoot also changes the partition table, and Abrams hasn’t discovered a way to reverse it.
Poorly coded or not, RedBoot is a serious threat.
There’s no way of knowing how RedBoot will propagate itself come October, and that’s troubling considering all the damage it could do.
Businesses and individuals concerned about permanent loss of files should ensure workstations are backed up to some form of network or cloud storage, antivirus software definitions are up to date, and users are trained to avoid phishing and other scams.
It’s not often that a serious cyber threat is identified while still in development, nor is it common that the developer lets the world know when it will be released. With that information available it’s important to assess your level of readiness now.
RedBoot’s October release could be inconsequential, or it could be an epidemic that paralyzes businesses and permanently destroys data. Take this opportunity to ensure your place in the percentage of companies that aren’t affected by this highly lethal new form of malware.
The top three points in this:
- A new malware called RedBoot can do more than just encrypt data. It also modifies the Master Boot Record and partition table to cause irreparable damage.
- RedBoot is still in development, and its programmer says a final version will be released this October. It’s impossible to tell at this point what additional features may be added.
- RedBoot has the potential to be destructive, but we know when it’s coming. Take the time to ensure files are backed up and other security measures are in place to prevent a potentially devastating outbreak.