RedBoot Ransomware That Encrypts Permanently

A newly discovered ransomware has been found to encrypt files but also alters the partition table and Master Boot Record (MBR) with the aim to cause permanent damage.

When RedBoot executes it will extract five files into a random folder in the directory that the launcher was executed. Encrypted files can be identified with the “.locked” extension to the file.

Once file encryption is completed it will reboot the computer and display the ransom note which is generated by the MBR, rather than starting Windows. The ransom instructs the user to send the ID key, displayed on the ransom note, to an email address that provides the user with payment instructions.

Encrypting the MBR means that the user is unable to access any data on their device, resulting in the device being unusable.

At the time of publication there is no indication as to the root of initial infection.

Affected Platforms:

Microsoft Windows – all versions

Resolution:

As with all forms of zero day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.

To avoid becoming infected with ransomware, ensure that:

• A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
• All operating systems, antivirus and other security products are kept up to date.
• All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.

To limit the damage of ransomware and enable recovery:

• All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
• Multiple backups should be created including at least one off-network backup (e.g. to tape).