In this article you will get know, in detail, about What is B0r0nt0k Ransomware? or “Borontok ransomware“. How to remove B0r0nt0k Ransomware from your WordPress website. Before going into the details, you need to know a little about ransomwares.
In a hurry, click below to go to selected section:
B0r0nt0k Ransomware Removal – Is Your WordPress Website Infected by Borontok?
What is a Ransomware?
Ransomware can be defined as malware or malicious software. It is more convoluted than a typical malware which locks the computer, usually by encryption and it only decrypts after the payment is received.
What is the Purpose of Ransomware
Sole motive for ransomware attacks is mainly monetary. Things are bit different when it comes to ransomware where you are made acquainted that an exploit has intervened and instructions are extended for how to recover from the attack. Usually, in such a case, a virtual currency like bitcoin is demanded to hide the identity of the cyber criminal.
How is Ransomware Distributed?
Ransomware can spread through multiple ways such as – infected software apps, email attachments, compromised websites, and external storage devices. Of late, a significant number of attacks have taken place via a remote desktop protocol that does not require any user interaction.
- IndoXploit WordPress Hack – What It Is & How To Fix It
- How To Remove Malware From WordPress Site
- WordPress Theme Security – How to Ensure Safety Of Your Theme
Types of Ransomware
There are two types of ransomware in circulation:
- Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
- Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up.
Technically, ransomware has been prevalent since the 90s, but in the past five years, it has taken off. The main reason behind its immense acknowledgment is owing to the availability of untraceable payment methods such as Bitcoin. Here are some of the major ones –
Launched in 2013 and infecting 500,000 machines, this is a type of Trojan ransomware. It spreads through compromised email attachments or via a botnet. When this ransomware is downloaded and activated, it goes ahead and searches for particular types of files to encrypt.
This encryption is carried out with the help of RSA public key cryptography; then it sends the private key to some distant servers. It further demands the owner of the system to pay ransom to decrypt or recover the affected files. In case the owner fails to do so, he loses the private key.
This ransomware is a file-locking virus. This virus encrypts the files on the linux server and marks them with .rontok file extension. This is, indeed, a serious cyber infection that affects not just your data but it goes one step ahead and makes changes to –
- Modified startup settings
- Added registry entries
- Added files or programs
- Disabled functions or applications
This is also a type of ransomware and mainly targeted gaming files. This one encrypts the files saved on the machine, and a ransom is demanded to attain the decryption key. With the help of decryption key, normal access to the affected files can be gained.
This ransomware, popular in late 2015 and early 2016, attack mainly affected mobile phones. This ransomware also encrypts the files, making it inaccessible without the assistance of the scammer.
Also known as WannaCrypt, WannaCryptor, and Wanna Decryptor, WannaCry is yet another type of ransomware. This particular ransomware will seal your device (personal computer, tablet, or a smartphone) infect your files and a message will be displayed seeking ransom.
As a victim, you will be asked to pay a ransom via Bitcoin. The files will only be released once the scammer has received the payment, however failing to pay the amount will lead to the destruction of the data. On the negative side, paying the ransom does not ensure recovery of the encrypted data.
In 2017, just weeks after the outbreak of WannaCry, NotPetya infected thousands of computers in over 100 nations in just a matter of days. This malware also used the same exploit WannaCry used. This particular ransomware is unlike other ransomware where the primary motive was to cause disruption.
Released in 2016, this ransomware was discovered by the IT experts. The scammers used to send infected emails appealing for payment via an invoice as a malicious Microsoft Word document that runs infected macros.
As and when the user opens the document, he/she receives a pop up saying “Enable macro if data is incorrect,” which is a standard method to deceit the user and simultaneously affect the system.
These were some of the common ransomware. Out of these, let us focus our attention towards the latest ransomware – B0r0nt0k. What it is and how to remove this newest ransomware.
- WordPress XSS Attack – Exploit & Protection
- WordPress Malware Removal Checklist
- Web Shell PHP Exploit 💀 What, Why & How To Fix
What is B0r0nt0k ransomware?
The B0r0nt0k Ransomware is a file encoder threat that emerged on February 25th, 2019 when site owners reported finding files with strange names and the ‘.rontok’ extension.
This ransomware has emerged in the threat landscape by the name of Borontok. The primary target of this virus is websites and servers running on Linux, but the threat is alike for the systems running on Windows. As a ransom, the attackers demand 20 bitcoins (roughly $75,000) for the recovery of the data. The affected files are given. rontok extension. Besides, it also encoded with the base64 algorithm.
— Gary Dower (@GaryDower) February 24, 2019
The attackers injected a small program that encrypted generic data containers along with some site configuration files. Affected server administrators may find that the data with the following extensions is no longer available:
.PNG, .PSD, .PSPIMAGE, .TGA, .THM, .TIF, .TIFF, .YUV, .AI, .EPS, .PS, .SVG, .INDD, .PCT, .PDF, .XLR, .XLS, .XLSX, .ACCDB, .DB, .DBF, .MDB, .PDB, .SQL, .APK, .APP, .BAT, .CGI, .COM, .EXE, .GADGET, .JAR, .PIF, .WSF, .DEM, .GAM, .NES, .ROM, .SAV, .DWG, .DXF, .GPX, .KML, .KMZ, .ASP, .ASPX, .CER, .CFM, .CSR, .CSS, .HTM, .HTML, .JS, .JSP, .PHP, .RSS, .XHTML, .DOC, .DOCX, .LOG, .MSG, .ODT, .PAGES, .RTF, .TEX, .TXT, .WPD, .WPS, .CSV, .DAT, .GED, .KEY, .KEYCHAIN, .PPS, .PPT, .PPTX, .INI, .PRF, .HQX, .MIM, .UUE, .7Z, .CBR, .DEB, .GZ, .PKG, .RAR, .RPM, .SITX, .TAR.GZ, .ZIP, .ZIPX, .BIN, .CUE, .DMG, .ISO, .MDF, .TOAST, .VCD, .SDF, .TAR, .TAX2014, .TAX2015, .VCF, .XML, .AIF, .IFF, .M3U, .M4A, .MID, .MP3, .MPA, .WAV, .WMA, .3G2, .3GP, .ASF, .AVI, .FLV, .M4V, .MOV, .MP4, .MPG, .RM, .SRT, .SWF, .VOB, .WMV, .3D, .3DM, .3DS, .MAX, .OBJ, .BMP, .DDS, .GIF, .JPG, .CRX, .PLUGIN, .FNT, .FON, .OTF, .TTF, .CAB, .CPL, .CUR, .DESKTHE, EPACK, .DLL, .DMP, .DRV, .ICNS, .ICO, .LNK, .SYS, .CFG.
A ransom note is displayed on the web browser screen. It also contains the UUID of the user that is required in the later stages bortontok.uk is visited. The ransomware actors appear to request payments that go up to 20 Bitcoin (≈$75,000/€66,900) and may use the ‘email@example.com’ email account to reach out to the victims.
The moment a user fills their ID on the page, the scammers demand to pay 20BTC, they also give them three days to make the payment or else they will delete their data permanently. This payment should be made through form given on the provided website. Even if the user makes the payment, there is no assurance that the decryption will happen.
A cryptovirus like B0r0nt0k can disable security tools or other functions to keep running without interruption, warns 2-Spyware.com. The B0r0nt0k ransomware can alter more crucial parts of the computer if left untreated.
While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities
Ransomware attacks like B0r0nt0K prey on organizations that lack preparation. You may be in trouble if you don’t have a recent backup and have fallen victim to B0r0nt0k ransomware
Restoring backups after a ransomware attack is still a time-consuming process, though, which means you also should take steps to prevent the infection in the first place. Applying the latest security patches to your applications and servers is potentially the single most important step you can take to shore up your defenses, but it is not enough. Combating ransomware requires a multilayer defensive approach, including intrusion prevention services to block application exploits, and advanced malware-detection tools that use machine learning and behavioral detection to identify evasive payloads
What Else to Do
The most active way to prevent B0r0nt0K from entering your Linux server is to close the SSH (secure shell) and the FTP (file transfer protocol) ports,
- Restore the site from source control or backups;
- Change all admin passwords;
- Audit the software stack for known vulnerabilities that could have allowed the attacker in, and patch as appropriate;
- Audit the site’s configuration for any weak spots;
- Disable services that are not critical, and close those open ports;
- Ensure backups are operational; and
- Conduct a penetration test of the Internet-facing network footprint.
- Malicious Code Injection WordPress
- How To Setup WordPress Two-Factor Authentication
- WordPress Maintenance Checklist
Is Your WordPress Website Infected – B0r0nt0k Ransomware Removal
As a website owner, here is the guide you can use to detect and remove borontok ransomware.
Scan Your Website –
To find malicious payloads and malware locations, various tools can scan your website remotely. WP Hacked comes with a free WordPress plugin that is available in the WordPress archive.
To scan for WordPress Hacks –
- Visit WP Hacked Help website.
- Hit scan website.
- In case the website is infected, make sure you review the message.
- If any payloads and locations are available, make sure you take a note of them.
- In case of any blacklist warning, it is important to take a note of it.
Review the iFrames/Scripts tab/Links of the malware scan to look for suspicious elements.
Analyze the Files Names –
You can check for the ransomware on your linux server/website by having a thorough check of the file renames. Having multiple renames on your computer is not common. If there are, then this is a clear sign of the presence of ransomware on your computer. You can also refer to some of the popular websites to have a better comprehension of all the files used by the ransomware.
Consider Looking at your Extension Files –
One of the easiest ways to scan your website for ransomware is to have a closer look at your extension files. Almost every ransomware has different extension files. This makes your task more comfortable to make out which ransomware has affected your computer.
Checking Core File Integrity –
Majority of the essential WordPress files should not be modified. It is important you have checked the wp-admin, root folders, and wp-includes for any integrity issue. You can use the diff command in the terminal to confirm the integrity of your WordPress core files.
Check Recently Modified Files –
There is always a possibility that a new or recently modified files are a part of the hack. If you want to check the recently modified files manually –
- With the help of an FTP client or SSH terminal, you can easily log into your server.
- If you are using SSH listing all modified files, in the last 15 days, can be easily done by using the following command –
$ find ./ -type f -mtime -15
- In case you are using SFTP, you can have a closer look at the last modified date for the files on your server.
- Closely check all the files that have recently modified.
On Linux, you can check the recently modified files with the help of terminal commands –
- Type in your terminal –
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
- If you want to have a look at the directory files, type in your terminal –
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
- If you are using SFTP, you can have a closer look at the last modified date column for all files on the server.
- If you find unfamiliar changes in the last 7-30 days, they may be suspicious.
Take Backup of your Website –
There are a plethora of WordPress backup plugins out there, and it is indeed an arduous task to make a smart choice for the best one. But, if you are looking for a hassle free and secure plugin to initiate backup of your WordPress blogs and websites, then nothing beats BackupBuddy. Here are the key features of this plugin –
Our Detailed Guide – How to Backup WordPress Database Manually & With Plugins?
Hourly Database Backups –
This plugin offers nine varied interval options for backup schedules. This feature comes handy during a high-traffic event at your website such as during a sale.
Located in Schedules > Add New Schedule section > Backup Intervals dropdown
Files Only Backup –
As a user, you are offered a choice to create a new backup profile that allows taking backup of only the files on the website. There are times when you are using your database is not important, or only particular files are required within a backup. For instance – if there are large-sized images and video files (self-hosted), you probably wish to split your backups, so that they run more efficiently.
Located in Backup > + > Backup Profile Type dropdown
Backup Notes –
Using this feature, adding a short note to the backup files is easy. This can be used to make written marks about when the backup file was made or to remind yourself when to send the backup offsite later.
Located in Backup > Local Backups section. Hover over the backup file name to see the “Note” link
Database Repair –
If you are using Backup Buddy, you don’t require a separate optimisation plugin. This plugin is capable enough to check and repair the databases. All you need is to visit the Database tab in the Server Tools menu item. All you need is to hover over any item, and you can see check & repair action links.
Our Detailed Guide – Optimize & Repair WordPress Database – Fix Corrupted Tables
Located in Server Tools > Database tab
Now, let us shift our attention towards backing up your WordPress website without using a plugin. This particular section is divided into two main types – automatic and manual.
Automatic WordPress Backups
This type of backup takes place on their own. Backups can also be done at the server level. There are so many WordPress-friendly hosts offering automatic backups. And if you have decided to use a premium hosting service, you can expect some additional features as well.
Manual WordPress Backups –
While automatic backups, on the server-level, is a far more convenient and modern method, you wish other copies of your website should be saved at different places. Following are some of the ways you can carry out a manual backup of your files and databases –
Through Your Host –
With the help of cPanel, you can take the backup of the whole website. Entirely depending on your host, your cPanel may have a different appearance. In case you are using Bluehost, you have the convenience of taking the backup of –
- Website files
- Full cPanel Backup
- Home Directory
- MySQL Databases
In case you have created email addresses on the server, restoration of the emails can be done quickly. Downloading a backup is a piece of cake. And then, a zip or tar file download emerges.
You also enjoy the convenience of saving these files to the iCloud, thumb drive, external hard drive or to your computer to keep them safe.
Through phpMyAdmin –
Backing up your database using phpMyAdmin comprise of creating a copy of your database tables. Further, they should be exported to your local PC or anywhere else where you wish to save them. Here are the backup steps you need to follow –
- The first step involves logging in to your web hosting accounts cPanel. Navigate to the databases and hit phpMyAdmin.
- Now, to log in to phpMyAdmin, you need to enter your username and password.
- You have the choice of either hitting databases towards the left side or hit the tab of databases on the top navigation tabs. This will divulge all your databases.
- Here, you need to choose for the databases you wish to copy. Once you are done, you need to hit the export tab.
- Make sure you only check the Add Drop Table and then hit export.
- Lastly, you need to hit the ‘save as file’, followed by hitting the go button. Now, save the copy of your MySQL database to your computer. In case you have a huge DB, you also have the option of saving a compressed or zipped file.
- How to Scan & Detect Malware in WordPress Themes
- Best WordPress Security Plugins in 2019
- How To Fix Backdoor In Hacked WordPress Site?
- Employ Sacrificial Network –
The primary approach of the ransomware is to affect as many computers as possible. In this process, when one computer is affected by the ransomware, its following step is to spread the infection the entire local network. Therefore, to have a sacrificial network can really prove fruitful.
This network of computers will perform the role of an early warning mechanism for you. These computers have low rpm hard disks with small random files. This way the ransomware will take a longer time to encrypt your data and files. You will have time to audit the entire activity and most importantly take the backup of your data.
- Employ Next-Generation Firewalls –
You can scan for ransomware by using next-generation firewalls. If you have any suspicious activity in your network, this firewall will ascertain it and block it. Make sure that the firewall is updated.
- Have a Security Suite –
You can detect ransomware, on your computer, by using the power of a security suite comprising of a firewall, anti-malware, and anti-virus. If the software is a legit one, then you can count on it. This is because of the fact there is a team of professionals working, around the clock, to provide the best protection for its customers.
If you are a home user, then it may prove costly to you, but at the end of the day, it is worth the price that you pay.
Why Hire a Professional
If your website is affected by B0r0nt0k ransomware, seeking professional assistance is the way to go. This is; indeed, a critical situation and it is easy to make the situation from bad to worse. One excellent option is to seek the professional services of WP Hacked.
Equipped with years of experience, rest assured that your business is always protected. We keep a close check on any probable threat of ransomware in the future. Besides, we also offer solutions to key WordPress hacks and vulnerabilities.