The blackmail message  (Image: Bleeping Computer)


Ransomware: Redboot stops Windows startup and cannot decrypt.

Redboot-Ransomware overwrites the MBR, the partition table – and apparently has apparently no possibility of restoring the encrypted files ever. Even if the victims paid.

Against a new Ransomware with the name Redboot there is next to backups probably no remedy. According to Bleeping Computer, the program overwrites the master boot record of the hard drive and locks users out of their Windows system.

Ransomware is currently distributed via infected mail attachments and unpacks five files on the hard drive of the users. The files boot.asm and boot.bin are compiled by a script and then used to overwrite the previous master boot record of the hard disk. Only afterwards, these files are encrypted on the hard drive and equipped with the new file end .locked.

Windows does not start anymore

After the encryption process, the computer is automatically shut down, however when restarting, Windows does not start, but the users are prompted to send an e-mail to for instructions on how to pay for the blackmail message. A key ID is also displayed, which is to be transmitted. It has not yet been clarified whether it is really an unambiguously assigned ID.

In addition, Ransomware does not provide any possibility to enter a decryption key. The only way to recover your own data would therefore be a self-booting tool, which the attackers would send after the payment of the so far unknown blackmail sum. Moreover, Bleeping Computer writes that the malware also overwrites the partition table and that there is so far no indication of a working backup of the information.


All in all, it can only be warned against making payments to the blackmailer.


Contact Us.