RedBoot Ransomware Virus - Remove and Restore .locked.locked Files

RedBoot Ransomware Virus – Remove and Restore .locked Files

This article aims to help you remove RedBoot “memeware”ransomware from your computer and try to restore .locked files that have been encrypted by it on your computer.

A new virus, called RedBoot ransomware has been identified by researchers to not only replace the Master Boot Record (MBR) on the system drives of the computers iinfected by it, but also to modify the partition table of the infected PC. The RedBoot virus also performs other activities such as encrypt the files on the infected computers, adding the .locked file extension to them. RedBoot ransomware is by far the worst type of ransomware you could possibly have, because it not only modifies it so that you cannot boot Windows, but also encrypts the files on your hard drive as well. The end goal is to extort victims into paying a hefty ransom fee in order to restore access to the encrypted files. However, since paying the ransom is highly inadvisable, we recommend you to read the following article in order to learn how to try and recover your files without having to pay the ransom to the RedBoot virus cyber-criminals.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the Master Boot Record (MBR), the files on the infected PC and modifies the partition table of the infected PC.
SymptomsDrops multiple different malicious files on the infected computer and begins modifying it, resulting in a ransom message appearing in red and white before Windows boots.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by RedBoot


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RedBoot.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does RedBoot Ransomware Infect

The infection process of the RedBoot ransomware virus may be conducted in a multitude of methods. The primary of which may include the usage of different tools that ensure undetected infection. Such tools may be:

  • Malware loader.
  • Self-extractor.
  • Obfuscation software to hide the malware from conventional antivirus software.
  • Malicious macros uses in documents that may cause the infection.
  • Spam bots or other spamming software.

The spamming software, which replicates RedBoot malware may be targeting victims, based on a pre-configured list of e-mail addresses of victims. The cyber-criminals may have also pre-registered e-mail addresses from which to send the spam messages and the texts in the messages themselves. The texts may be of a convincing nature, like the example below:

They may contain an e-mail attachment which poses as a legitimate bank statement, receipt, invoice or any other type of document.

RedBoot Ransomware – Malicious Activity

The first activity of RedBoot ransomware is to drop it’s payload on the computer it has already infected. To do this, the virus may automatically extract 6 files into a completely random folder of the infected PC. The files are the following:

→ assembler.exe

Each of the payload files has different functions and performs various activities on the victim’s computer. The boot.asm file is the one responsible for replacing the master boot record screen after it has been attacked, thus preventing your computer to boot into Windows. It also includes the ransom note of the virus, which is the following:

Text from image:

“This computer and all of it’s files have been locked! Send an email to [email protected] containing your ID key for instructions on how to unlock them. Your ID key is {Unique Victim ID}”

The result of compiling the boot.asm file via the assembly.exe file (which is the compiler) is a newly generated boot.bin file.

The program used to attack the MBR itself is concealed within the executable file overwrite.exe. But to do this, RedBoot has to stop several programs on the infected computer to run. This is done via the protect.exe file which the virus uses to stop the task manager and the processhacker tasks.

RedBoot Ransomware Encryption Process

Besides using the processes above to encrypt the Master Boot Record and perform some sort of modification on the partition table, the RedBoot ransomware also performs encryption on the files of the infected computer, adding the .locked extension. After encryption, the files may appear, like the following:

The RedBoot virus targets multiple files for encryption, including:

  • Documents.
  • Videos.
  • Archives.
  • Audio files.
  • Text documents.
  • Pictures.
  • Executable files.
  • DLL files.

To encrypt the files, RedBoot ransomware uses the main.exe file, responsible for the for the encryption.

Remove RedBoot Ransomware and Try to Recover .locked.locked Files

Unlike conventional ransomware viruses, the RedBoot ransomware acts very similar to NotPetya( virus, which has the one and only purpose to also attack the MBR, but the difference is that it was also a wiper, meaning that it destroys files beyond all recovery.

This is why, you should take different steps than the conventional ones to remove this virus and restore your data. Despite the low odds of recovering the files, there is still one method which you could try and that is to take out your hard drive and try to recover the files this way.

Here is what you will need to have for the removal and recovery instructions of RedBoot:

  • A screwdriver, corresponding to your desktop/laptop.
  • A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
  • Patience.

First of all, you should choose the safe computer from which to scan your files to be a powerful Windows machine which is also secured. This is why we recommend following these steps to secure it:

1. Download a ransomware and malware protection program.


RedBoot Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
2. Download a relevant ransomware protection program.
3. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected. For more information you can also check another methods to safely store your data here.

After securing the test PC, you should prepare it for the recovery process which will most likely be lengthy. This is why we recommend changing the power settings so that your decryption computer does not automatically hibernate or sleep while left decrypting the drive.

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on Save Changes and close it.

Recovery Phase

For the recovery process, we have outlined several often-met drive migration scenarios which can be possible between different computers:

  • From Laptop to Laptop with no extra components.
  • From Desktop to Desktop with no extra components.
  • From Laptop to Desktop with a SATA cable if the Desktop has an outdated chipset.
  • From Desktop to Laptop with a SATA cable if the Laptop has a newer chipset.

To simplify the process, we recommend you to choose machines that do not require any extra cables or components for the drive to run on them. In case you do not have such possibility, we recommend using an external SATA-USB adapter.

Step 1: Remove battery and power from your laptop. For desktop computers, please remove eliminate the power from the contact.

Step 2: Using the screwdriver, unscrew the case which carries the hard drive. For laptops, you should follow these steps:


Step 3: Remove the hard drive again with the screwdriver. It will look similar to the one on the picture below:


Step 4: Plug-in the hard drive on a secure computer which has an internet connection and Windows installed and screw it in firmly. If connected directly, the hard drive should be detected by the OS as a separate partition, similar to the picture below:


Step 5: After you have connected the drive, you will likely not be able to open it, because it’s sectors are encrypted. However, because only some of the sectors are encrypted, enough to render the drive no longer openable, you may have a chance if you use a data recovery software to recover the files from the drive as you were scanning a lost partition.

Most data recovery programs have support for scanning broken partitions, but we recommend you to try the following:

Stellar Phoenix Windows Data Recovery

We will continue to monitor the situation with RedBoot ransomware and update with every new variant coming out. Follow this web page or our blog news letter by e-mail for more information to come soon. In the meantime, we strongly advise you to update your Windows systems and secure them properly against malware. To learn more about security your PC and data in the future, we recommend reading the following materials:

Related:Ransomware Protection Tips

Related:Safely Store Your Important Files and Protect Them from Malware

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share