MENU

ACG-CYBER SECURITY BULLETIN NO 114 UNDERSTANDING REDBOOT RANSOMWARE

The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

            The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

RedBoot is a new bootlocker ransomware that was discovered by Malware Blocker which when executed encrypt files on the computer, replace the Master Boot Record of the system drive and then modifies the partition table.

When the RedBoot ransomware is executed, it extracts five (5) other files into a random folder in the directory that the launcher was executed.  These files include the boot.asm, assembler.exe, main.exe, overwrite.exe and protect.exe.  Boot.asm is an assembly file that will be compiled into the new master boot record while the assembler.exe is a renamed copy of nasm.exe that is use to compile the boot.asm assembly file into the master boot record.bin file.  After the boot.asm has been compiled by assembly.exe, the boot.bin file will be generated.  Overwrite.exe is the program used to overwrite the existing master boot record with the newly compiled boot.bin and main.exe is the user mode encrypter that will encrypt the files on the computer.  The protect.exe file will terminate and prevent various programs from running to include the task manager and process hacker.  Once the files are extracted, the main launcher will be executed to compile the boot.asm file into a boot.bin file and the launcher will delete the boot.asm and assembly.exe.  The overwrite.exe program will then overwrite the current master boot record with the compiled boot.bin.  The launcher will then start the main.exe program which will scan the computer for files to encrypt.  The main.exe program then launch protect.exe program to block programs that may be used to analyze or stop the infection.  While main.exe is encrypting files, it will encrypt executables, dlls, and normal data files and append the .locked extension into the encrypted namefile of the file.  After the files are encrypted, it will reboot the computer and instead of restarting, it will display a ransom note being generated by the new master boot record which gives instruction to the victim to send their ID key to the developer in order to get the payment instruction.

RECOMMENDATION


PNP personnel and the public are advised to follow the tips in order not be victimized by redboot ransomware:

  • Always maintain a backup of your data.
  • Set show hidden file-extensions.
  • Use the cryptolocker prevention kit.
  • Disable Remote Desktop protocol.
  • Patch or update your software
  • Use reputable security suite

For additional information, please refer to the following websites:

Securityaffairs.co

https://www.trendmicro.com

https://www.bleepingcomputer.com

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru email address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.

ACG-CYBER SECURITY BULLETIN NO. 113 UNDERSTANDING BITCOINS

The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

            The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Bitcoins are electronic currency also known as cryptocurrency.  It is a form of digital public money that was created by painstaking mathematical computations and monitored by millions of computer users called miners.

Bitcoin allow users to send and receive funds directly to each other without requiring a bank or other payment processing intermediary to facilitate the transaction.  It is considered a peer-to-peer system based on blockchain technology which maintains a public ledger of all transfers on the bitcoin network while preventing fraudulent activity such as double spending.

A bitcoin wallet is a software program where bitcoins are stored and a transfer of value between bitcoin wallets is called a transaction.  All transactions are included in a block chain.  The bitcoin wallet keeps a secret piece of data called a private key which is used to sign transactions, providing mathematical proof that they have come to the owner of the wallet.

The Bangko Sentral ng Pilipinas (BSP) does not endorse the use of bitcoin since it is neither issued or guaranteed by a central bank nor backed by any commodity but it regulates virtual currencies when used for delivery of financial services, specifically for payments and remittances which have an impact on anti-money laundering and combating the financing of terrorism, consumer protection and financial stability.

RECOMMENDATION


PNP personnel and the public are advised to follow the tips when dealing with bitcoins:

  • Keep separate wallets. There is no limit to the number of bitcoin wallets, have a separate wallet for spending money and a separate address for receiving payments.
  • Do not keep your savings in a web wallet even though it is convenient.
  • Always remember, bitcoins do not work like credit card. If you lose money fraudulently, nobody can send a refund.
  • Protect your privacy. Never share your private keys with anyone else.
  • Keep your wallet’s private key stored in an offline medium.
  • Always keep a backup of your wallets.

For additional information, please refer to the following websites:

https://www.carbonblack.com

https://securelist.com

https://www.lifewire.com

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru email address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.