RedBoot Ransomware Removal Guide

Do you know what RedBoot Ransomware is?

RedBoot Ransomware is no joke. If this malicious infection slithers in, it is highly unlikely that you could even get your personal files back. Besides encrypting these files, the infection also edits Master Boot Record (MBR) files, which prevents your operating system from loading normally. Instead, a red screen appears, and a ransom note is represented via it. Regardless of how many times you restart your computer, you will face the same red screen with the same demands. Rebooting the operating system into Safe Mode will not help either. You can repair MBR using the Windows installation CD/DVD, but your files will not be automatically recovered if you do that. In fact, your files are likely to be saved only if they are backed up externally. If that is the case, all you need to focus on is the repairing of MBR and the removal of RedBoot Ransomware. The good news is that deleting the files used by this malicious infection should not be too complicated.

This is not the first time our research team has come across an infection that corrupts MBR. A few other threats that are capable of the same thing include GoldenEye Ransomware and Petya Ransomware. The removal of these infections has been discussed in reports that you can find on this site. While there are some similarities, RedBoot Ransomware is a unique threat, and our research team has found that it was compiled with the AutoIT scripting language. Some researchers believe that this malware might be more than just a regular file encryptor. They believe that it is a wiper that might have been created to wipe data found on the operating system, which, of course, would make the recovery of files impossible. Despite that, the cyber criminals who created this malware are after one thing, and that is your money. The ransom note represented via the red screen informs that you must send your ID number to to receive instructions on how to “unlock” your files. These instructions are likely to include a payment of a ransom, and you should not get involved because you are likely to lose money for no reason at all.

At this point, it is still unknown how RedBoot Ransomware is distributed, but it is likely that spam emails and vulnerable RDP connections are used to spread this infection. Once the main file is executed, it extracts five more files into a folder with a random name. The launcher and this folder are placed in the same location. Then, the launcher file uses “assembler.exe” to compile the “boot.asm” file into the MBR file called “boot.bin”. Once that is done, the .EXE and .ASM should be automatically deleted from your operating system. Then, “Overwrite.exe” replaces the original MBR with “boot.bin”. After all this, the malicious “main.exe” starts encrypting files and adding the “.locked” extension to all of them. Once this file is done, the system is restarted into the new MBR file, and you are introduced to the red screen with the ransom note. Needless to say, you need to delete RedBoot Ransomware files.

Once you repair the MBR – which you can do following the guide below – you need to delete RedBoot Ransomware from your operating system. Note that some of the files might have removed themselves after execution, and others might have different names. If you cannot remove the infection yourself because you cannot find its location or you are afraid to eliminate the wrong files, the best option you have is to install anti-malware software. It will automatically eliminate this dangerous infection from your operating system. When it comes to your files, you should not try to recover them with the help of cyber criminals. If you do not have them backed up, you might have to count your losses.

Repair MBR (Mater Boot Record)

Windows 10/Windows 8/Windows 7/ Windows Vista

  1. Insert the Windows installation disk and wait for the menu to appear.
  2. Select the preferred installation parameters (e.g., language) and then click Next.
  3. Click Repair your computer and then select Command Prompt (if you are running Windows 10 or Windows 8, move to the Troubleshooting menu first).
  4. Type bootrec /fixmbr and tap Enter.
  5. Type bootrec /fixboot and tap Enter.
  6. Type bootrec /scanos and tap Enter.
  7. Type bootrec /rebuildbcd and tap Enter.
  8. Eject the installation disk and then type exit and tap Enter.
  9. Restart the computer and delete the malicious ransomware files.

Windows XP

  1. Insert the Windows installation disk.
  2. When the Press any key to boot from CD message appears, press any key.
  3. When the Welcome to Setup menu appears, tap R for Recovery Console.
  4. When the Which Windows installation would you like to log onto message appears type 1 and tap Enter.
  5. When the Type the Administrator password message appears, enter the password and tap Enter.
  6. Type in fixmbr and then tap Enter. Wait for fixmbr to repair MBR damage.
  7. Eject the installation disk and then type exit and tap Enter.
  8. Restart the computer and delete the malicious ransomware files.

Remove RedBoot Ransomware

  1. Find the {random name}.exe launcher of the ransomware.
  2. Delete the launcher file.
  3. Open the {random name} folder in the same directory and Delete these files:
    • assembler.exe
    • boot.asm
    • boot.bin
    • main
    • overwrite
    • protect.exe
  4. Empty Recycle Bin.
  5. Perform a full system scan to make sure that no ransomware leftovers are left behind.

In non-techie terms:

If your operating system was infected by RedBoot Ransomware, and a red screen was loaded with a ransom note, it is unlikely that there is anything you can do to recover your files. This malicious infection corrupts the Master Boot Record, and researchers believe that it works as a wiper that is meant to wipe data on your PC without any way of recovering it. The ransom note, of course, suggests that you can recover files if you email cyber criminals. If you do that, they are likely to push you into paying a ransom, and that, of course, is not something we recommend. Unfortunately, it is likely that your personal files are lost for good. Even so, you need to remove RedBoot Ransomware, and you can do that using the guide above only after you repair the Master Boot Record.