[BreachExchange] B0r0nt0K ransomware demands $75, 000 ransom to the victims

[Destry Winant]

https://securityaffairs.co/wordpress/81627/malware/b0r0nt0k-ransomware.html

The recently discovered B0r0nt0K ransomware infectsboth Linux and
Windows servers and demands $75,000 ransom to the victims.

A new piece of ransomware called B0r0nt0K appeared in the threat
landscape, it is targeting web sites and demanding a 20 bitcoin ransom
to the victims (roughly $75,000). This B0r0nt0K ransomware infects
both Linux and Windows servers.

The news was first reported by Bleeping Computer, in a
BleepingComputer forum post, a user reported the infection of a
website running on Ubuntu 16.04. The ransom encrypts all files and
renames them by appending .rontok extension to the file names. The
user that disclosed the news on the forum was only able to provide the
URL of the payment site located at https://borontok.uk/. To access the
website the victim have to provide the personal ID.

According to the popular malware researcher Michael Gillespie, when
the B0r0nt0K ransomware encrypts a file it will base64 the encrypted
data.

“The file’s name will also be renamed by encrypting the filename,
base64 encoding it, url encoding it, and finally appending the .rontok
extension to the new file name. An example of a encryptedfile’s name
is zmAAwbbilFw69b7ag4G4bQ%3D%3D.rontok.” reported Bleeping Computer.

By accessing the payment site, the user will be presented with a
payment page including payment instructions (i.e. Ransom amount, the
bitcoin payment address, and the contact email info at botontok.uk).
Experts pointed out that the malware author appears to be willing to
negotiate the ransom amount.

BleepingComputer analyzed the source code of the payment site and
discovered the string “Vietnamese Hacker” in a comment, a circumstance
that could suggest that the malware author is Vietnamese.