B0r0nt0K Ransomware Demands 20 Bitcoin (app $75000) from Victims

boronotok b0r0nt0k ransomeware
Share the knowledge

The newest malware ransomware making news is B0r0nt0K (similar to ‘BorontoK’ only the Os are replaced with 0s). While it has hit at least one Linux server, experts say that it also has the potential to lock up Windows servers. Unfortunately, at the moment there seems to be no B0r0nt0k antivirus defense.

The B0R0nt0k ransomware encrypts all of the files on the affected server, adding the ‘.rontok’ extension to them. In order to decrypt the files, the owner of the website has to cough up 20 Bitcoin (value approximately $75,000 USD).

The site at which one is to pay the ransom, borontok.uk was registered this month, through registrar one.com. However, at the time of this writing, the site had already been taken down.

Explains Bleeping Computer, in whose forums the ransomware was first reported, “The file’s name will also be renamed by encrypting the filename, base64 encoding it, url encoding it, and finally appending the .rontok extension to the new file name. An example of a encrypted file’s name is zmAAwbbilFw69b7ag4G4bQ%3D%3D.rontok.”

The original forum post, posted on Friday by Bleeping Computer user ‘magicker’, says, in toto:

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

B0r0nt0K (Rontok) Ransomware (website encrypted with .rontok)

Hi there

A client of mine had their web site encrypted. Demanding 20 BC (£60 000!!!) for keys (the site cant make that in a decade)

the extension is

.rontok

for which I cant find a single reference on the net.

bc address: 3P8nU1oLe23DtSuzFQMoVJdqcJA6xKnVJC[/size]

the server us (sic) running ubuntu 16.04″

When the victim would go to the borontok.uk site, they would see this image:

borontok.uk botontok.uk
Credit: BleepingComputer.com

Note that the email address to contact them has a typo in it (‘botontok.uk’ instead of ‘borontok.uk’). However, the email address is correct on the subsequent screen to which they are taken after entering the UUID provided by the hacker to the victim.

borontok demand screen
Credit: BleepingComputer.com
b0r0nt0k borontok demand screen
Credit: BleepingComputer.com

Bleeping Computer goes on to say that “Once an ID is entered, the user will be presented with a payment page that includes a the bitcoin ransom amount, the bitcoin payment address, and the info@botontok.uk {Ed. note: the email address on that second screen is actually the correct “info@borontok.uk” email address, not the “info@botontok.uk” email address} email that can be used to contact the developers. In this particular instance, the ransom demand was 20 bitcoins, which is currently equal to approximately $75,000. The developers, though, appear to be willing to negotiate the price.”

That last is based on the fact that at the bottom of that second screen the text includes “Negotiate? Contact: info@borontok.uk”.

Now of course, this may all seem moot given that the borontok.uk website has been shut down. However, there’s nothing stopping the hacker from bringing up a new site and hitting more victims – after all, he just needs one victim to pay up to make it more than worth his while to keep opening new payment websites and to keep doing his dirty work.

So what is the best way to protect yourself against this and other ransomeware?

According to antivirus company Norton, the best ways to protect yourself against ransomware include the obvious (don’t respond to the hacker, don’t give in to the demands, have good antivirus software) and some things that may not be so obvious, such as making sure that all of your software is up to date and all patches are employed (as software holes are one of the easier ways for a hacker to get malware onto your computer).

And if you are hit with ransomware, restore your files from the last good backup (which you are making, right?)

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.