Redboot Malware: Ransomware or Wiper

A new bootlocker malware is leaving researchers scratching their heads on whether to identify the malware as a poorly coded ransomware or a cleverly designed wiper.


The malware, dubbed RedBoot, was discovered by Malware Blocker researchers and encrypts files like a ransomware but also replaces the Master Boot Record (MBR) of the system drive and then modifies the partition table, according to a 23 September Bleeping Computer blog post.


The ransomware doesn't provide a way to input a key to restore the MBR and partition table, unless the ransomware developer has a bootable decryptor, leading researchers to believe the malware may be a wiper or malware designed to wipe the hard drive of the devices it infects.


“While this ransomware is brand new and still being researched, based on the preliminary analysis it does not look promising for any victims of this malware,” researchers said in the post. “This is because, in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.”


The developer's use of the AutoIT scripting language led researchers to lean towards speculation that the malware was just a buggy and poorly coded ransomware, although ultimately the author's intentions aren't clear.


Researchers spotted a separate set of ransomware attacks which also left victims unable to decrypt their files last week. The aggressive campaign spread a Locky variant that used a single identifier which meant cyber-criminals had no way to send the correct decryptor key even if a victim paid.