A new ransomware can replace the master boot record and alter the partition table.
By being able to do both those tasks, the malware can then end up acting like a wiper.
Called RedBoot by researchers at Malware Blocker, the malware can encrypt executables and DLLs along with normal data files. In addition, by replacing the master boot record, it prevents the computer from loading Windows.
RedBoot ransomware extracts five files into a random folder in the same directory as the launcher: assembler.exe, boot.asm, main.exe, overwrite.exe, and protect.exe, said BleepingComputer’s Lawrence Abrams in a post.
One of the files, assembler.exe, which is a renamed copy of nasm.exe, ends up used to compile the boot.asm assembly file into a new master boot record boot.bin file. Next, overwrite.exe overwrites the existing boot.bin with the newly compiled one.
The user mode encryption operation is performed by the main.exe file, while protect.exe terminates and prevents various programs from running.
After the files end up extracted, the launcher executes the necessary command to the new boot.bin file, and then deletes the boot.asm and assembly.exe files. Next, it overwrites boot.bin, and then starts main.exe to scan the computer for files to encrypt. protect.exe is also launched to prevent other programs from blocking or analyzing the infection.
The ransomware encrypts executables, DLLs, and normal data files on the infected machine, and appends the .locked extension to each of the encrypted files. As soon as the encryption process has been completed, the malware reboots the machine and the new master boot record displays a ransom note instead of loading Windows.
Although the ransom note said victims can recover their data if they contact the malware author at firstname.lastname@example.org to receive payment instructions, researchers said that may not be the case.
“While this ransomware does perform standard user mode encryption, the modifying of the partition table and no way of inputting a key to recover it, may indicate that this is a wiper disguised as a ransomware,” Abrams said. “Then again, since the developer used a scripting language like AutoIT to develop this ransomware, it could very well be just a buggy and poorly coded ransomware.”