Threat Management, Malware

Redboot malware leaves researchers wondering if its a ransomware or wiper

A new bootlocker malware is leaving researchers scratching their heads on whether to identify the malware as a poorly coded ransomware or a cleverly designed wiper.

The malware, dubbed RedBoot, was discovered by Malware Blocker researchers and encrypts files like a ransomware but also replaces the Master Boot Record (MBR) of the system drive and  then modifies the partition table, according to a Sept. 23 Bleeping Computer blog post.

The ransomware doesn't provide a way to input a key to restore the MBR and partition table, unless the ransomware developer has a bootable decryptor, leading researchers to believe the malware may be a wiper or malware designed to wipe the hard drive of the devices it infects.

“While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware,” researchers said in the post. “This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.”

The developer's use of the AutoIT scripting language led researchers to lean towards speculation that the malware was just a buggy and poorly coded ransomware, although ultimately the author's intentions aren't clear.

Researchers spotted a separate set of ransomware attacks which also left victims unable to decrypt their files last week. The aggressive campaign spread a Locky variant that used a single identifier which meant cybercriminals had no way to send the correct decryptor key even if a victim paid. 

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.