RedBoot targets Windows OS and its distribution method is currently unknown. When a system becomes infected, RedBoot extracts 5 files (assembler.exe, boot.asm, main.exe, overwrite.exe, and protect.exe) into a random folder within the originating directory from which the ransomware's executable was originally launched. It compiles the boot.asm file into the boot.bin file, which then deletes boot.asm and assembly.exe from the system. Following this process, RedBoot launches overwrite.exe to overwrite the system's Master Boot Record (MBR) and then uses main.exe to scan the system to encrypt files, appending .locked to the file names. After all targeted files are encrypted, RedBoot reboots the system and displays a ransom note generated by the MBR, preventing the operating system from loading. Early research suggests that RedBoot may be damaging the partition table, eliminating all possibility of restoration, regardless of whether or not the victim receives a decryption key.
Associated email addresses: firstname.lastname@example.org
- Bleeping Computer provides more information about RedBoot here.
- The NJCCIC is not currently aware of any free decryption or hard drive restoration tools available for RedBoot.