Redboot “Ransomware” Is Capable of Permanently Altering Hard Drive Partitions

RedBoot is a new bootlocker ransomware which seemingly modifies computers’ partition tables. Users are unable to decrypt their files or restore their partition settings whatsoever. It is not the first time we have seen a crossover between ransomware and data wiping capabilities in the malware world. There have been a few types of malware which disguise themselves as ransomware but effectively delete encrypted data. 

RedBoot Is a Very Serious Threat

Malware developers must continually come up with new ways to trick computer users into making ransom payments. While ransomware itself still proves pretty successful in this regard, adding some more pressure can help move things along at an accelerated pace. It appears that is the primary objective of RedBoot right now, as it is quite a powerful tool which can wreak a lot of havoc. This is not your average ransomware strain by any means, as its real purpose is even more nefarious.

More specifically, it turns out RedBot is capable of encrypting files on a computer. That in itself is not entirely surprising these days, as many types of malicious software use this method. However, there is a lot more to RedBoot, as it also replaces the Master Boot Record on a target computer. We have seen this behavior before, but not in a permanent capacity. Plus, in this case the tool modifies the partition table to cause irreparable damage.

What is pretty disconcerting about RedBoot is how there is no way to restore a computer’s Master Boot Record once the damage has been done. Nor can victims restore the partition table, which means they can’t effectively recover or restore their files whatsoever. This seems to indicate this new malware type is intent on wiping data completely rather than simply collecting a Bitcoin payment. Security experts fear this was done on purpose, rather than being an oversight on the part of the RedBoot developer.

As one would come to expect, the name RedBoot is aptly chosen. Once a victim is infected with this malware and their computer is rebooted by the program, he or she will see a red screen containing a ransom note during the boot procedure. This ransom note is generated by the modified Master Boot Record, which is pretty interesting. There are no specific instructions as to how to obtain a recovery ID other than by sending an email and copying the ID key. There is no central command & control server being used right now, nor is there any request for a Bitcoin payment either.

Most people who have been paying close attention will know that paying a ransom has no purpose whatsoever. This malware is clearly designed to wipe data and make file recovery impossible. There is no indication as to how one could enter a decryption key either, as it has no text boxes which could be used to do so. It is possible the developer will send a different executable file for this particular purpose, although that seems highly unlikely. Paying the ransom will not result in getting files back; that much is certain.

The bigger question is whether or not tools such as RedBoot will become more common in the world of cybercrime. If that were the case, things would go from bad to worse pretty quickly. Data wipers are a legitimate threat to computer users all over the world, and developers often deploy such measures as a cyber weapon first and foremost. Even though this tool was created with the AutoIT language, it certainly is a big problem when you have to deal with it. It is possible this is still a buggy form of ransomware, but for now it’s difficult to say for sure.