New Ransomware Called B0r0nt0K Discovered

Ransomware is continuing to challenge all types of companies and has become one of the most feared business threats, and some cybersecurity research has also pegged it as the most popular form of malware. These ransoms can often be extortionately high however the cost of downtime is also extremely high.

A new ransomware has been discovered and is encrypting victim’s websites and demanding 20 bitcoin (or around $75,000) in order to regain control of the site. The ransomware is called B0r0nt0K and primarily affects Linux servers to may also be able to encrypt Windows.

B0r0nt0K encrypts the website and renames all of the encrypted files, adding a .rontok extension to them. Not much is yet known about B0r0nt0K and how it operates since the only examples seen have come from examining the payment site and analyzing files submitted to online forums, such as the bleeping computer forum post that drew attention to the issue.

Coder and “Malware Hunter” Michael Gillespie (@demonslay335) states that when B0r0nt0K encrypts a file it will base64 the encrypted data.

The user is instructed to go to the payment site where they have to enter an ID. Once the ID is entered a payment page will be presented to the user which includes the ransom amount, the bitcoin address and an email (info@botonok.uk) where you can attempt to negotiate the price.

Strangely in the source code for the payment site is the embedded comment “Vietnamese Hacker“. Of course, this could be meaningless, put there to throw people off or any number of things, but it could also be a hint at the hacker‘s identity.

It is too soon to say how widespread B0r0nt0K is or will become, but we can only hope that the damage is minimal. Ransomware is a hot problem across all industries at the moment meaning the pressure is high when it comes to combatting these threats. On Thursday it was revealed that employees at Melbourne Heart Group in Malvern, Australia were unable to access patients’ medical records after a ransomware attack that encrypted the health care provider’s files. Around 15,000 patient files were encrypted in the ransomware attack and the actors were thought to be from North Korea of Russia.

The above case represents a worrying trend in ransomware, that anything is fair game. Ransomware is obviously profitable enough that new bad actors are popping up all the time to take advantage of victims. New ransomware is being continually created or existing ransomware is being tweaked in order to avoid cybersecurity efforts.

Below are some key ransomware statistics compiled by Comparitech covering the period 2017-2019

• In 2016 70% of business paid to get their data back (Source: IBM)
• Ransomware is costing businesses more than $75 billion per year. (Source: Datto)
• Businesses lost around $8,500 per hour due to ransomware-induced downtime. (Source: Datto)
• An IBM study noted that a quarter of business executives would be willing to pay between $20,000 and $50,000 to regain access to encrypted data. (Source: IBM)
• According to Cryptonite, healthcare organizations saw an 89 percent year-over-year increase in ransomware attacks.