Home Malware Programs Ransomware B0r0nt0k Ransomware

B0r0nt0k Ransomware

Posted: February 26, 2019

The B0r0nt0k Ransomware is a file-locking Trojan whose campaign is targeting websites on Linux and, potentially, the Windows architecture. The B0r0nt0k Ransomware blocks the site's files by encrypting them and adding additional encoding and tells the victims to pay Bitcoins for the unlocker through its custom domain. Due to the expense of the ransom and the lack of a public decryptor, the victims should have backups for an ideal restoration option, and, as always, may use anti-malware solutions for eliminating the B0r0nt0k Ransomware safely.

Website Maintenance Just Raised Its Price

A campaign that's attacking Linux-run websites via uncertain infection methods is using encryption as a hostage-taking mechanism for the sites' files. While this attack is conventional enough, the B0r0nt0k Ransomware stands out for the price of the ransom: twenty Bitcoins, or roughly 75,000. The price tag places the B0r0nt0k Ransomware in the same category as threats like some versions of the GusLocker Ransomware or the FriedEx Ransomware, which is far more expensive than the triple-digit ransoms of an average file-locking Trojan.

While malware researchers have yet to verify whether the B0r0nt0k Ransomware's encryption uses breakable or secure algorithms, they do confirm it using the Base64 encoding as a second security measure for the files that it locks. The B0r0nt0k Ransomware, also, adjusts their names with the same Base64 changes, adds yet another layer of URL encoding, and caps it by appending a 'rontok' extension. The resulting filename resembles gibberish and shows no clear indications of the original identity.

While analyses of its ransoming instructions require further samples, the B0r0nt0k Ransomware processes its ransoms through a dedicated site of its own. Like the Crysis Ransomware, the Scarab Ransomware, the Globe Ransomware, and other, RaaS-style threats, the B0r0nt0k Ransomware payloads use an ID for linking the victim to the transaction. Malware experts are, however, pleased to be able to report no payments through its current wallet address, meaning that the campaign has yet to make a profit.

The Website Practices for a Ransom-Free Environment

Although some of the B0r0nt0k Ransomware's internal strings imply a possible Vietnamese origin, the threat actor's campaign is presuming English as the language of choice for his or her victims. Since the majority of websites run on Linux-based architecture, the B0r0nt0k Ransomware is only visible on attacks on that OS, but Windows-based sites may be vulnerable similarly. Its infection vectors aren't limiting the victims to those administrating high-profile websites, and admins can protect their sites with practices such as:

  • Sophisticated passwords with combinations of cases, letters, numbers, and special characters are less vulnerable to a 'brute-force' attack that could crack them.
  • Many hosting companies provide features such as remote backups, which could help recover any encrypted data, or network monitoring, which can detect activity related to threats like the B0r0nt0k Ransomware.
  • 2FA or Two Factor Authentication is a helpful supplement for password credentials that give remote attackers an additional obstacle between them and logging into your site.
  • Updating software when it's appropriate is as essential for website administrators as it is for other PC users. However, it's pertinent to WordPress domains especially, which are frequent targets of attacks abusing outdated vulnerabilities.

The users can remove the B0r0nt0k Ransomware's local installations, if it succeeds, by way of appropriate anti-malware solutions, but disinfecting the site doesn't decrypt any of the locked files.

With such a sharp price, free decryption for the B0r0nt0k Ransomware isn't likely, unless the AV industry can find an unanticipated vulnerability. Website admins have more cause than ever for preventing, rather than mitigating, the impact of one Trojan's attacks.

Loading...