RedBoot, a new malware threat, been identified by cyber security researchers. This threat is not unlike NotPetya as it appears to be a form of ransomware, when in it is really a wiper.
RedBoot malware can encrypt files, making them inaccessible, encrypted and allocated the .locked extension. Once the encryption process is finished, a ‘ransom’ note is displayed to the user, providing an email address to use to discover how to unlock the encrypted files. Like NotPetya, RedBoot malware also alters the master boot record.
RedBoot incorporates a module that overwrites the current master boot record and it also seems that changes are carried out on the partition table, but there is currently no mechanism for undoing those changes. There is also no command and control server and even though an email address is given, no ransom demand appears to be be made. RedBoot is therefore a wiper, not ransomware.
In it’s current guise the malware causes permanent damage, even if it is the intention of the developer is to use this malware to extort money from victims. It is strange that an incomplete version of the malware has been released and advance notice has been released about a new version that is about to be made public, but it does give businesses time to ready themselves.
The attack vector has yet to be identified, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The security measures that should be put in place are therefore the same as for stopping any malware variant.
A spam filtering solution should be put in place to block malicious emails, users should be warned to the threat of phishing emails and should be shown how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown people.
IT teams should make sure all computers and servers are fully patched and that SMBv1 has been turned off or SMBv1 vulnerabilities have been addressed and antivirus software should be downloaded on all computers.
It is also important to back up all systems to ensure that in the event of an attack, systems can be restored and data rescued.