ACG-CYBER SECURITY BULLETIN NO 114 UNDERSTANDING REDBOOT RANSOMWARE
The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
RedBoot is a new bootlocker ransomware that was discovered by Malware Blocker which when executed encrypt files on the computer, replace the Master Boot Record of the system drive and then modifies the partition table.
When the RedBoot ransomware is executed, it extracts five (5) other files into a random folder in the directory that the launcher was executed. These files include the boot.asm, assembler.exe, main.exe, overwrite.exe and protect.exe. Boot.asm is an assembly file that will be compiled into the new master boot record while the assembler.exe is a renamed copy of nasm.exe that is use to compile the boot.asm assembly file into the master boot record.bin file. After the boot.asm has been compiled by assembly.exe, the boot.bin file will be generated. Overwrite.exe is the program used to overwrite the existing master boot record with the newly compiled boot.bin and main.exe is the user mode encrypter that will encrypt the files on the computer. The protect.exe file will terminate and prevent various programs from running to include the task manager and process hacker. Once the files are extracted, the main launcher will be executed to compile the boot.asm file into a boot.bin file and the launcher will delete the boot.asm and assembly.exe. The overwrite.exe program will then overwrite the current master boot record with the compiled boot.bin. The launcher will then start the main.exe program which will scan the computer for files to encrypt. The main.exe program then launch protect.exe program to block programs that may be used to analyze or stop the infection. While main.exe is encrypting files, it will encrypt executables, dlls, and normal data files and append the .locked extension into the encrypted namefile of the file. After the files are encrypted, it will reboot the computer and instead of restarting, it will display a ransom note being generated by the new master boot record which gives instruction to the victim to send their ID key to the developer in order to get the payment instruction.
PNP personnel and the public are advised to follow the tips in order not be victimized by redboot ransomware:
- Always maintain a backup of your data.
- Set show hidden file-extensions.
- Use the cryptolocker prevention kit.
- Disable Remote Desktop protocol.
- Patch or update your software
- Use reputable security suite
For additional information, please refer to the following websites:
POINT OF CONTACT