Security

RedBoot: A new ransomware that can encrypt and repartition your hard drive-permanently

The newly discovered RedBoot ransomware can alter master boot records, change partition tables, and encrypt files. The worst part? Early analysis points to everything being unrecoverable.

A newly discovered ransomware called RedBoot is one of the most dangerous yet. Not only does it encrypt files, it also alters the partition table and the master boot record (MBR) to cause what seems to be permanent damage.

Early research into RedBoot hasn't turned up a command and control server, nor are ransomers asking for Bitcoin payment. Those facts, along with what looks to be irreparable encryption, is leading some to believe RedBoot is just designed to do damage.

It's possible that RedBoot is just poorly coded, which is where Lawrence Abrams of Bleeping Computer is leaning.

If you're worried about catching RedBoot you don't need to be—yet. RedBoot's developer contacted Abrams and told him that the current version is a development build. The final version, the developer said, will be out in October.

That's when you'll need to start worrying.

How RedBoot destroys computers

RedBoot's current version comes as a compiled AutoIT executable that extracts into five components: an assembler, a boot.asm that the assembler turns into boot.bin, an overwrite executable that turns boot.bin into the new MBR, an executable that encrypts files, and another executable that prevents programs like Task Manager and Process Hacker from running.

SEE: Ransomware: The smart person's guide (TechRepublic)

After RedBoot does its work it restarts the computer and the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

ransom-screen.png

The ransom screen of the aptly named RedBoot.

Image: Bleeping Computer

As part of its execution sequence RedBoot also changes the partition table, and Abrams hasn't discovered a way to reverse it.

Poorly coded or not, RedBoot is a serious threat.

Preemptive protection

There's no way of knowing how RedBoot will propagate itself come October, and that's troubling considering all the damage it could do.

SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)

Businesses and individuals concerned about permanent loss of files should ensure workstations are backed up to some form of network or cloud storage, antivirus software definitions are up to date, and users are trained to avoid phishing and other scams.

It's not often that a serious cyber threat is identified while still in development, nor is it common that the developer lets the world know when it will be released. With that information available it's important to assess your level of readiness now.

RedBoot's October release could be inconsequential, or it could be an epidemic that paralyzes businesses and permanently destroys data. Take this opportunity to ensure your place in the percentage of companies that aren't affected by this highly lethal new form of malware.

The top three takeaways for TechRepublic readers:

  1. A new form of malware called RedBoot can do more than just encrypt data: It also modifies the MBR and partition table to cause irreparable damage.
  2. RedBoot is still in development, and its programmer says a final version will be released in October. It's impossible to tell at this point what additional features may be added.
  3. RedBoot has the potential to be destructive, but we know when it's coming. Take the time now to ensure files are backed up and other security measures are in place to prevent a potentially devastating outbreak.

Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox