RedBoot Ransomware (Modifying the MBR + File Encryption <.locked>) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : e0340f456f76993fc047bc715dfdae6a

Major Detection Name : Trojan.Win32.KillMBR.gfd (Kaspersky), Ransom:Win32/Genasom (Microsoft)

Encrypted File Pattern : .locked

Malicious File Creation Location :
- C:\Users\%UserName%\<8 Digits Random Number>\assembler.exe
- C:\Users\%UserName%\<8 Digits Random Number>\boot.asm
- C:\Users\%UserName%\<8 Digits Random Number>\boot.bin
- C:\Users\%UserName%\<8 Digits Random Number>\main.exe
- C:\Users\%UserName%\<8 Digits Random Number>\overwrite.exe
- C:\Users\%UserName%\<8 Digits Random Number>\protect.exe

Major Characteristics :
- Offline Encryption
- GoldenEye / Mischa / NotPetya / PetrWrap Ransomware series
- AutoIt scripts based Ransomware
- Modifying the MBR + File Encryption
- Disable Task Manager (Taskmgr.exe) and Process Hacker (ProcessHacker.exe)