In this article you will get know, in detail, about What is B0r0nt0k Ransomware? or “Borontok ransomware“. How to remove B0r0nt0k Ransomware from your WordPress website. Before going into the details, you need to know a little about ransomwares.
In a hurry, click below to go to selected section:
B0r0nt0k Ransomware Removal – Is Your WordPress Website Infected by Borontok?
Table of Contents [TOC]
Ransomware can be defined as malware or malicious software. It is more convoluted than a typical malware which locks the computer, usually by encryption and it only decrypts after the payment is received.
Sole motive for ransomware attacks is mainly monetary. Things are bit different when it comes to ransomware where you are made acquainted that an exploit has intervened and instructions are extended for how to recover from the attack. Usually, in such a case, a virtual currency like bitcoin is demanded to hide the identity of the cyber criminal.
Also Read – WordPress Ransomware – What It is & How To Prevent It?
Ransomware can spread through multiple ways such as – infected software apps, email attachments, compromised websites, and external storage devices. Of late, a significant number of attacks have taken place via a remote desktop protocol that does not require any user interaction.
Related Reads:
There are two types of ransomware in circulation:
Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up.
Technically, ransomware has been prevalent since the 90s, but in the past five years, it has taken off. The main reason behind its immense acknowledgment is owing to the availability of untraceable payment methods such as Bitcoin. Here are some of the major ones –
Launched in 2013 and infecting 500,000 machines, this is a type of Trojan ransomware. It spreads through compromised email attachments or via a botnet. When this ransomware is downloaded and activated, it goes ahead and searches for particular types of files to encrypt.
This encryption is carried out with the help of RSA public key cryptography; then it sends the private key to some distant servers. It further demands the owner of the system to pay ransom to decrypt or recover the affected files. In case the owner fails to do so, he loses the private key.
This ransomware is a file-locking virus. This virus encrypts the files on the linux server and marks them with .rontok file extension. This is, indeed, a serious cyber infection that affects not just your data but it goes one step ahead and makes changes to –
This is also a type of ransomware and mainly targeted gaming files. This one encrypts the files saved on the machine, and a ransom is demanded to attain the decryption key. With the help of decryption key, normal access to the affected files can be gained.
This ransomware, popular in late 2015 and early 2016, attack mainly affected mobile phones. This ransomware also encrypts the files, making it inaccessible without the assistance of the scammer.
Also known as WannaCrypt, WannaCryptor, and Wanna Decryptor, WannaCry is yet another type of ransomware. This particular ransomware will seal your device (personal computer, tablet, or a smartphone) infect your files and a message will be displayed seeking ransom.
As a victim, you will be asked to pay a ransom via Bitcoin. The files will only be released once the scammer has received the payment, however failing to pay the amount will lead to the destruction of the data. On the negative side, paying the ransom does not ensure recovery of the encrypted data.
In 2017, just weeks after the outbreak of WannaCry, NotPetya infected thousands of computers in over 100 nations in just a matter of days. This malware also used the same exploit WannaCry used. This particular ransomware is unlike other ransomware where the primary motive was to cause disruption.
Released in 2016, this ransomware was discovered by the IT experts. The scammers used to send infected emails appealing for payment via an invoice as a malicious Microsoft Word document that runs infected macros.
As and when the user opens the document, he/she receives a pop up saying “Enable macro if data is incorrect,” which is a standard method to deceit the user and simultaneously affect the system.
These were some of the common ransomware. Out of these, let us focus our attention towards the latest ransomware – B0r0nt0k. What it is and how to remove this newest ransomware.
Related Reads:
The B0r0nt0k Ransomware is a file encoder threat that emerged on February 25th, 2019 when site owners reported finding files with strange names and the ‘.rontok’ extension.
This ransomware has emerged in the threat landscape by the name of Borontok. The primary target of this virus is websites and servers running on Linux, but the threat is alike for the systems running on Windows. As a ransom, the attackers demand 20 bitcoins (roughly $75,000) for the recovery of the data. The affected files are given. rontok extension. Besides, it also encoded with the base64 algorithm.
The attackers injected a small program that encrypted generic data containers along with some site configuration files. Affected server administrators may find that the data with the following extensions is no longer available:
.PNG, .PSD, .PSPIMAGE, .TGA, .THM, .TIF, .TIFF, .YUV, .AI, .EPS, .PS, .SVG, .INDD, .PCT, .PDF, .XLR, .XLS, .XLSX, .ACCDB, .DB, .DBF, .MDB, .PDB, .SQL, .APK, .APP, .BAT, .CGI, .COM, .EXE, .GADGET, .JAR, .PIF, .WSF, .DEM, .GAM, .NES, .ROM, .SAV, .DWG, .DXF, .GPX, .KML, .KMZ, .ASP, .ASPX, .CER, .CFM, .CSR, .CSS, .HTM, .HTML, .JS, .JSP, .PHP, .RSS, .XHTML, .DOC, .DOCX, .LOG, .MSG, .ODT, .PAGES, .RTF, .TEX, .TXT, .WPD, .WPS, .CSV, .DAT, .GED, .KEY, .KEYCHAIN, .PPS, .PPT, .PPTX, .INI, .PRF, .HQX, .MIM, .UUE, .7Z, .CBR, .DEB, .GZ, .PKG, .RAR, .RPM, .SITX, .TAR.GZ, .ZIP, .ZIPX, .BIN, .CUE, .DMG, .ISO, .MDF, .TOAST, .VCD, .SDF, .TAR, .TAX2014, .TAX2015, .VCF, .XML, .AIF, .IFF, .M3U, .M4A, .MID, .MP3, .MPA, .WAV, .WMA, .3G2, .3GP, .ASF, .AVI, .FLV, .M4V, .MOV, .MP4, .MPG, .RM, .SRT, .SWF, .VOB, .WMV, .3D, .3DM, .3DS, .MAX, .OBJ, .BMP, .DDS, .GIF, .JPG, .CRX, .PLUGIN, .FNT, .FON, .OTF, .TTF, .CAB, .CPL, .CUR, .DESKTHE, EPACK, .DLL, .DMP, .DRV, .ICNS, .ICO, .LNK, .SYS, .CFG.
A ransom note is displayed on the web browser screen. It also contains the UUID of the user that is required in the later stages bortontok.uk is visited. The ransomware actors appear to request payments that go up to 20 Bitcoin (≈$75,000/€66,900) and may use the ‘info@borontok.uk’ email account to reach out to the victims.
The moment a user fills their ID on the page, the scammers demand to pay 20BTC, they also give them three days to make the payment or else they will delete their data permanently. This payment should be made through form given on the provided website. Even if the user makes the payment, there is no assurance that the decryption will happen.
A cryptovirus like B0r0nt0k can disable security tools or other functions to keep running without interruption, warns 2-Spyware.com. The B0r0nt0k ransomware can alter more crucial parts of the computer if left untreated.
While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities
Ransomware attacks like B0r0nt0K prey on organizations that lack preparation. You may be in trouble if you don’t have a recent backup and have fallen victim to B0r0nt0k ransomware
Restoring backups after a ransomware attack is still a time-consuming process, though, which means you also should take steps to prevent the infection in the first place. Applying the latest security patches to your applications and servers is potentially the single most important step you can take to shore up your defenses, but it is not enough. Combating ransomware requires a multilayer defensive approach, including intrusion prevention services to block application exploits, and advanced malware-detection tools that use machine learning and behavioral detection to identify evasive payloads
The most active way to prevent B0r0nt0K from entering your Linux server is to close the SSH (secure shell) and the FTP (file transfer protocol) ports,
Related Reads:
As a website owner, here is the guide you can use to detect and remove borontok ransomware.
To find malicious payloads and malware locations, various tools can scan your website remotely. WP Hacked comes with a free WordPress plugin that is available in the WordPress archive.
To scan for WordPress Hacks –
Review the iFrames/Scripts tab/Links of the malware scan to look for suspicious elements.
You can check for the ransomware on your linux server/website by having a thorough check of the file renames. Having multiple renames on your computer is not common. If there are, then this is a clear sign of the presence of ransomware on your computer. You can also refer to some of the popular websites to have a better comprehension of all the files used by the ransomware.
One of the easiest ways to scan your website for ransomware is to have a closer look at your extension files. Almost every ransomware has different extension files. This makes your task more comfortable to make out which ransomware has affected your computer.
Majority of the essential WordPress files should not be modified. It is important you have checked the wp-admin, root folders, and wp-includes for any integrity issue. You can use the diff command in the terminal to confirm the integrity of your WordPress core files.
There is always a possibility that a new or recently modified files are a part of the hack. If you want to check the recently modified files manually –
$ find ./ -type f -mtime -15
On Linux, you can check the recently modified files with the help of terminal commands –
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
There are a plethora of WordPress backup plugins out there, and it is indeed an arduous task to make a smart choice for the best one. But, if you are looking for a hassle free and secure plugin to initiate backup of your WordPress blogs and websites, then nothing beats BackupBuddy. Here are the key features of this plugin –
Our Detailed Guide – How to Backup WordPress Database Manually & With Plugins?
This plugin offers nine varied interval options for backup schedules. This feature comes handy during a high-traffic event at your website such as during a sale.
Located in Schedules > Add New Schedule section > Backup Intervals dropdown
As a user, you are offered a choice to create a new backup profile that allows taking backup of only the files on the website. There are times when you are using your database is not important, or only particular files are required within a backup. For instance – if there are large-sized images and video files (self-hosted), you probably wish to split your backups, so that they run more efficiently.
Located in Backup > + > Backup Profile Type dropdown
Using this feature, adding a short note to the backup files is easy. This can be used to make written marks about when the backup file was made or to remind yourself when to send the backup offsite later.
Located in Backup > Local Backups section. Hover over the backup file name to see the “Note” link
If you are using Backup Buddy, you don’t require a separate optimisation plugin. This plugin is capable enough to check and repair the databases. All you need is to visit the Database tab in the Server Tools menu item. All you need is to hover over any item, and you can see check & repair action links.
Our Detailed Guide – Optimize & Repair WordPress Database – Fix Corrupted Tables
Located in Server Tools > Database tab
Now, let us shift our attention towards backing up your WordPress website without using a plugin. This particular section is divided into two main types – automatic and manual.
This type of backup takes place on their own. Backups can also be done at the server level. There are so many WordPress-friendly hosts offering automatic backups. And if you have decided to use a premium hosting service, you can expect some additional features as well.
While automatic backups, on the server-level, is a far more convenient and modern method, you wish other copies of your website should be saved at different places. Following are some of the ways you can carry out a manual backup of your files and databases –
With the help of cPanel, you can take the backup of the whole website. Entirely depending on your host, your cPanel may have a different appearance. In case you are using Bluehost, you have the convenience of taking the backup of –
In case you have created email addresses on the server, restoration of the emails can be done quickly. Downloading a backup is a piece of cake. And then, a zip or tar file download emerges.
You also enjoy the convenience of saving these files to the iCloud, thumb drive, external hard drive or to your computer to keep them safe.
Backing up your database using phpMyAdmin comprise of creating a copy of your database tables. Further, they should be exported to your local PC or anywhere else where you wish to save them. Here are the backup steps you need to follow –
Related Reads:
The primary approach of the ransomware is to affect as many computers as possible. In this process, when one computer is affected by the ransomware, its following step is to spread the infection the entire local network. Therefore, to have a sacrificial network can really prove fruitful.
This network of computers will perform the role of an early warning mechanism for you. These computers have low rpm hard disks with small random files. This way the ransomware will take a longer time to encrypt your data and files. You will have time to audit the entire activity and most importantly take the backup of your data.
You can scan for ransomware by using next-generation firewalls. If you have any suspicious activity in your network, this firewall will ascertain it and block it. Make sure that the firewall is updated.
You can detect ransomware, on your computer, by using the power of a security suite comprising of a firewall, anti-malware, and anti-virus. If the software is a legit one, then you can count on it. This is because of the fact there is a team of professionals working, around the clock, to provide the best protection for its customers.
If you are a home user, then it may prove costly to you, but at the end of the day, it is worth the price that you pay.
If your website is affected by B0r0nt0k ransomware, seeking professional assistance is the way to go. This is; indeed, a critical situation and it is easy to make the situation from bad to worse. One excellent option is to seek the professional services of WP Hacked.
Equipped with years of experience, rest assured that your business is always protected. We keep a close check on any probable threat of ransomware in the future. Besides, we also offer solutions to key WordPress hacks and vulnerabilities.