According to BleepingComputer’s Lawrence Abrams, RedBoot encrypts user’s files, replaces the Master Boot Record, and then modifies the partition table. As the developer doesn’t provide a way to input a key, a bootable decryptor for each PC would be the only way to restore files. This happens despite its ransom screen, which asks victims to email the creator with their ID key for unlocking and payment instructions. “This computer and all of it’s files have been locked! Send an email to [email protected] containing your ID or instructions on how to unlock them. Your ID key is ____,” reads the message.
Bad Coding or Intentional?
At this point, it’s unclear if RedBoot is simply buggy, or if the creator is intentionally misleading users. The email address seems to suggest the latter. There’s been a rise of so-called Memeware in recent times – malware that doesn’t just extort users but tricks them. A recent release called NRansom, for example, asks the user for nude photos before it will unlock their PC. Another version asks users to kill ten people and send proof. Though disguised as ransomware, it’s actually a blocker, and can be remedied with simple steps. A recent release called NRansom, for example, asks the user for nude photos before it will unlock their PC. Another version asks users to kill ten people and send proof. Though disguised as ransomware, it’s actually a blocker, and can be remedied with simple steps. Unfortunately, the same can’t be said for RedBoot. A file called protect.exe stops users from opening Task Manager and ProcessHacker, while the MBR re-write stops users booting Windows, and .dll encryption breaks many services. It seems, then, that the only way out for users is a system restore, and all data will be lost as a result. The analysis is still in the early stages, however, so it’s possible more information will arise.