Threat Database Ransomware RedBoot Ransomware

RedBoot Ransomware

By GoldSparrow in Ransomware

The RedBoot Ransomware is an encryption ransomware Trojan that was first observed on September 23, 2017. The RedBoot Ransomware represents a real threat to the victims' data and may be delivered either via spam email attachments or by taking advantage of poorly protected RDP (Remote Desktop Protocol) connections. Other ways in which the RedBoot Ransomware can be distributed include unsafe online downloads and attack websites. The RedBoot Ransomware is similar to most encryption ransomware Trojans active today since it uses a strong encryption method to make the victim's files inaccessible and then demands a ransom from the infected computer user in exchange for the decryption key necessary to recover the affected files.

The Red Boot that will Try to Affect Your Finances

The RedBoot Ransomware is still in a test version and is not deploying its full attack. In most encryption ransomware attacks, using a strong encryption algorithm encrypts the victim’s files. Trojans like the RedBoot Ransomware target the user-generated files such as video, audio, music, text files, databases, configuration files and numerous others. Examples of the file types that are typically compromised by these infections include:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg, .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The files encrypted by these attacks are marked with the file extension '.locked,' which will be added to the file's name. In its attack though, the RedBoot Ransomware will modify the MBR (Master Boot Record), a feature seen mostly in rootkits. This makes the RedBoot Ransomware much more threatening than the average ransomware Trojan since it prevents Windows from loading altogether. It means that the victim will have to reinstall their operating system after reformatting the affected hard drive and restore the affected files from backup copies to recover from a RedBoot Ransomware attack. The RedBoot Ransomware displays its message in BIOS. The RedBoot Ransomware ransom note reads as follows:

'This computer and all of it's files have been locked! Send an email to containing your ID key for instructions on how to unlock them. Your ID key is [40 RANDOM CHARACTERS]'

Dealing with a RedBoot Ransomware Infection

To make its attack more effective, the RedBoot Ransomware will drop the following files on the victim's computer, which are used to lock the victim's computer:

  • assembler.exe
  • boot.asm
  • boot.bin
  • overwrite.exe
  • main.exe
  • protect.exe

The fact that the RedBoot Ransomware overwrites the MBR and prevents the victim from launching the Task Manager or other utilities that could help the victim's recovery means that the RedBoot Ransomware is uniquely threatening. The RedBoot Ransomware and similar ransomware Trojans that interfere with the boot process are harmful particularly since the recovery process is much more laborious than with other ransomware Trojans. The contact with the people responsible for the RedBoot Ransomware attack should be avoided at all costs. It is very unlikely that they will help you restore your files.

Unfortunately, backups are the only proven way to recover the data that has been locked by the RedBoot Ransomware. Computer users should have file backups on an external memory device or the cloud, as well as a reliable security program to prevent these infections in the first place. To recover from a RedBoot Ransomware attack, it will be necessary to format the affected drives, reinstall the Windows operating system, and restore the affected files from backup copies. Enacting stronger security measures can prevent future infections.

SpyHunter Detects & Remove RedBoot Ransomware

File System Details

RedBoot Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe e0340f456f76993fc047bc715dfdae6a 0


Most Viewed