A new cryptovirus called "B0r0nt0K" has been putting Linux and possibly Windows Web servers at risk of encrypting all of the infected domain's files.
The new ransomware threat and the ransom of 20 bitcoins (about US$75,000) first came to light last week, based on a post on Bleeping Computer's user forum.
A client's website had all its files encrypted and renamed with the .rontok extension appended to them, the forum user indicated. The website was running on Ubuntu 16.04.
The B0r0nt0K ransom note is not displayed in a text format or in the message itself, based on the report. Instead, the screen display on the infected system links to the ransomware developer's website, which delivers details of the encryption and the payment demand. The display includes a personal ID required for logging onto the site.
"The initial compromise vector in this incident is not yet known nor has a sample of the malware been obtained by researchers," said Kent Blackwell, threat and vulnerability assessment manager at Schellman & Company.
"Without a sample of the malware or other indicator of compromise, it is likely that most antivirus products -- particularly those that rely on static signatures -- will fail to prevent this infection," he told LinuxInsider.
Payment Risky Business
After completing the logon to the ransomware developer's website, a payment page appears that includes the bitcoin ransom amount, the bitcoin payment address, and the email@example.com email to contact the developers.
The inclusion of contact information on one of the displayed message screens suggests that the developers are willing to negotiate the price, according to 2-Spyware.com. The word "Negotiate?" precedes the email address to reach the ransomware developers.
The ransom note is generated on the screen of a Web browser window. The virus developers encourage infection victims to pay the ransom in three days via the form on their provided website to avoid the permanent deletion of their files.
However, the alleged decryption key might never be delivered to victims who pay the huge ransom amount, 2-Spyware.com warns on its website. The company recommends not paying the ransom since it gives no guarantee.
"While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities."
A cryptovirus like B0r0nt0k can disable security tools or other functions to keep running without interruption, warns 2-Spyware.com. The B0r0nt0k ransomware can alter more crucial parts of the computer if left untreated.
The asking price for this ransom is quite high and suggests a potential ulterior motive, according to Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks.
"Maybe the perpetrator is just testing his approach on a less prominent website before moving on to wealthier targets," he told LinuxInsider.
It is not yet known how the ransomware was executed on the victim's Web server, said Blackwell.
"Ransomware needs a way in," said Josh Tomkiel, threat and vulnerability assessment manager at Schellman & Company.
"While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities," he told LinuxInsider.
Keep Your Guard Up
A persistent threat lurks with cryptoware, even if you succeed in decrypting your files, Tomkiel warned. Never assume that you are "out of the woods yet."
A ransomware author easily can add a backdoor into that server for remote access at a later time, so restoring from a backup is really the only solution, he noted.
"Do not assume paying the ransom will allow you to decrypt your data. There is no guarantee that the ransomware author is going to uphold their end of the bargain," said Tomkiel.
All that appears certain about the B0r0nt0k ransomware is that it is not a novel attack.
So far, the B0r0nt0K ransomware stands out only for to the ransom amount it seeks, Blackwell said.
"There is nothing particularly novel about this specific attack, although it looks not to have been triggered by clicking on an email," Mukul Kumar, CISO and VP of cyber practice at Cavirin, told LinuxInsider.
Kent Blackwell is a Manager with Schellman. Kent has over 9 years of experience serving clients in a multitude of industries, including the Department of Defense and top cloud service providers. In this position, Kent leads test efforts against client's web applications, networks, and employees through social engineering campaigns. Additionally Kent works with Schellman’s FedRAMP and PCI teams to ensure customer’s compliance needs are met in a secure and logical manner.
Joshua Tomkiel is a Manager and Penetration Tester with Schellman based in Philadelphia, PA. Prior to joining Schellman in 2015, he worked as an Application Security Analyst at Barclaycard US, performing web/mobile application security assessments and penetration testing on key IT systems. He produced detailed risk reports that identified vulnerabilities and provided recommendations on how to remediate findings. In addition, he conducted static and dynamic code analysis on internally developed applications. Josh has over 10 years of experience within the Information Technology field.