RedBoot Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | September 25, 2017 |
| Last Seen: | May 3, 2023 |
| OS(es) Affected: | Windows |
The RedBoot Ransomware is an encryption ransomware Trojan that was first observed on September 23, 2017. The RedBoot Ransomware represents a real threat to the victims' data and may be delivered either via spam email attachments or by taking advantage of poorly protected RDP (Remote Desktop Protocol) connections. Other ways in which the RedBoot Ransomware can be distributed include unsafe online downloads and attack websites. The RedBoot Ransomware is similar to most encryption ransomware Trojans active today since it uses a strong encryption method to make the victim's files inaccessible and then demands a ransom from the infected computer user in exchange for the decryption key necessary to recover the affected files.
Table of Contents
The Red Boot that will Try to Affect Your Finances
The RedBoot Ransomware is still in a test version and is not deploying its full attack. In most encryption ransomware attacks, using a strong encryption algorithm encrypts the victim’s files. Trojans like the RedBoot Ransomware target the user-generated files such as video, audio, music, text files, databases, configuration files and numerous others. Examples of the file types that are typically compromised by these infections include:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg, .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
The files encrypted by these attacks are marked with the file extension '.locked,' which will be added to the file's name. In its attack though, the RedBoot Ransomware will modify the MBR (Master Boot Record), a feature seen mostly in rootkits. This makes the RedBoot Ransomware much more threatening than the average ransomware Trojan since it prevents Windows from loading altogether. It means that the victim will have to reinstall their operating system after reformatting the affected hard drive and restore the affected files from backup copies to recover from a RedBoot Ransomware attack. The RedBoot Ransomware displays its message in BIOS. The RedBoot Ransomware ransom note reads as follows:
'This computer and all of it's files have been locked! Send an email to redboot@memeware.net containing your ID key for instructions on how to unlock them. Your ID key is [40 RANDOM CHARACTERS]'
Dealing with a RedBoot Ransomware Infection
To make its attack more effective, the RedBoot Ransomware will drop the following files on the victim's computer, which are used to lock the victim's computer:
- assembler.exe
- boot.asm
- boot.bin
- overwrite.exe
- main.exe
- protect.exe
The fact that the RedBoot Ransomware overwrites the MBR and prevents the victim from launching the Task Manager or other utilities that could help the victim's recovery means that the RedBoot Ransomware is uniquely threatening. The RedBoot Ransomware and similar ransomware Trojans that interfere with the boot process are harmful particularly since the recovery process is much more laborious than with other ransomware Trojans. The contact with the people responsible for the RedBoot Ransomware attack should be avoided at all costs. It is very unlikely that they will help you restore your files.
Unfortunately, backups are the only proven way to recover the data that has been locked by the RedBoot Ransomware. Computer users should have file backups on an external memory device or the cloud, as well as a reliable security program to prevent these infections in the first place. To recover from a RedBoot Ransomware attack, it will be necessary to format the affected drives, reinstall the Windows operating system, and restore the affected files from backup copies. Enacting stronger security measures can prevent future infections.
SpyHunter Detects & Remove RedBoot Ransomware
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887 | e0340f456f76993fc047bc715dfdae6a | 1 |
