Jump to content

Crypto Trojan RedBoot infects MBR and destroys files ( 25.09.2017 16:28 Uhr)


Recommended Posts



A new Ransomware is pushing its way into the Master Boot Record of Windows PCs. In addition, it also encrypts files - but without providing a path to decryption.

The Ransomware RedBoot, which is analyzed by Bleepingcomputer, encrypts the MBR (master boot record) of the infected PC and modifies the partition table. This effectively prevents Windows from starting. Instead, the blackmail message is displayed: The computer and all its files are encrypted, the user should contact the developers by e-mail to receive decryption instructions.

After running RedBoot, it overwrites the MBR with the included and compiled assembler code. The two programs main.exe and protect.exe, which are also included, are then started. The first program scans the computer and encrypts executable programs, DLLs as well as documents and images. They are endowed with the .locked suffix. At the same time, protect.exe ensures that main.exe is able to work as much as possible, and blocks programs that could interfere with or prevent infection. This includes, among other things, the task manager. When the encryption is finished, the Ransomware restarts the PC. Instead of Windows, the above-mentioned extortion is displayed.
No way back

The analysts of Bleepingcomputer have not found a way to enter a decryption code, so RedBoot encrypted data is unrecoverable. Either RedBoot is a very poorly written and verbugte Ransomware or it was never designed to be able to decrypt the data again - it would be classified as a Wiper. The Ransomware, written in AutoIT, mimics the Ransomware Petya, which has also been used in Germany, with the replacement of the MBR. RedBoot arrives at the PC via a path not mentioned in the source, usually Ransomware spreads via infected e-mail attachments. (Rei)


Google translation off https://www.heise.de/security/meldung/Krypto-Trojaner-RedBoot-infiziert-MBR-und-zerstoert-Dateien-3840923.html

Link to comment
Share on other sites

  • Replies 2
  • Views 1.3k
  • Created
  • Last Reply
4 hours ago, knowledge said:

its y i use Shadow Defender Ransomware cant pushing its way into the Master Boot Record :D


djxu3fos1r1rrwvhb.gif I don't care if something infects my MBR (I have a image)


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...