A new cryptovirus called “B0r0nt0K” has been putting Linux and possibly Windows Web servers at risk of encrypting all of the infected domain’s files.
The new ransomware threat and the ransom of 20 bitcoins (about US$75,000) first came to light last week, based on a post on Bleeping Computer’s user forum.
A client’s website had all its files encrypted and renamed with the .rontok extension appended to them, the forum user indicated. The website was running on Ubuntu 16.04.
The B0r0nt0K ransom note is not displayed in a text format or in the message itself, based on the report. Instead, the screen display on the infected system links to the ransomware developer’s website, which delivers details of the encryption and the payment demand. The display includes a personal ID required for logging onto the site.
“The initial compromise vector in this incident is not yet known nor has a sample of the malware been obtained by researchers,” said Kent Blackwell, threat and vulnerability assessment manager at Schellman & Company.
“Without a sample of the malware or other indicator of compromise, it is likely that most antivirus products — particularly those that rely on static signatures — will fail to prevent this infection,” he told LinuxInsider.
Payment Risky Business
After completing the logon to the ransomware developer’s website, a payment page appears that includes the bitcoin ransom amount, the bitcoin payment address, and the [email protected] email to contact the developers.
The inclusion of contact information on one of the displayed message screens suggests that the developers are willing to negotiate the price, according to 2-Spyware.com. The word “Negotiate?” precedes the email address to reach the ransomware developers.
The ransom note is generated on the screen of a Web browser window. The virus developers encourage infection victims to pay the ransom in three days via the form on their provided website to avoid the permanent deletion of their files.
However, the alleged decryption key might never be delivered to victims who pay the huge ransom amount, 2-Spyware.com warns on its website. The company recommends not paying the ransom since it gives no guarantee.
A cryptovirus like B0r0nt0k can disable security tools or other functions to keep running without interruption, warns 2-Spyware.com. The B0r0nt0k ransomware can alter more crucial parts of the computer if left untreated.
The asking price for this ransom is quite high and suggests a potential ulterior motive, according to Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks.
“Maybe the perpetrator is just testing his approach on a less prominent website before moving on to wealthier targets,” he told LinuxInsider.
It is not yet known how the ransomware was executed on the victim’s Web server, said Blackwell.
“Ransomware needs a way in,” said Josh Tomkiel, threat and vulnerability assessment manager at Schellman & Company.
“While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities,” he told LinuxInsider.
Keep Your Guard Up
A persistent threat lurks with cryptoware, even if you succeed in decrypting your files, Tomkiel warned. Never assume that you are “out of the woods yet.”
A ransomware author easily can add a backdoor into that server for remote access at a later time, so restoring from a backup is really the only solution, he noted.
“Do not assume paying the ransom will allow you to decrypt your data. There is no guarantee that the ransomware author is going to uphold their end of the bargain,” said Tomkiel.
All that appears certain about the B0r0nt0k ransomware is that it is not a novel attack.
So far, the B0r0nt0K ransomware stands out only for to the ransom amount it seeks, Blackwell said.
“There is nothing particularly novel about this specific attack, although it looks not to have been triggered by clicking on an email,” Mukul Kumar, CISO and VP of cyber practice at Cavirin, told LinuxInsider.
No Backups? Big Trouble
Ransomware attacks like B0r0nt0K prey on organizations that lack preparation. You may be in trouble if you don’t have a recent backup and have fallen victim to B0r0nt0k ransomware, warned Marc Laliberte, senior threat analyst at WatchGuard Technologies.
“We don’t have a copy of the payload to analyze at this time because B0r0nt0K is so new, but we do know the ransomware uses strong encryption — likely an AES variant, which is the standard for ransomware these days,” he told LinuxInsider.
This means you should not bank on being able to decrypt your files without paying, Laliberte noted — but paying the ransom does not always guarantee you will get your files back.
“The only thing guaranteed by paying is that these threat actors now have more funding and incentive to launch further attacks. This is why having a backup and restoration process is critical for every organization,” he said.
Restoring backups after a ransomware attack is still a time-consuming process, though, which means you also should take steps to prevent the infection in the first place. Applying the latest security patches to your applications and servers is potentially the single most important step you can take to shore up your defenses, but it is not enough, Laliberte cautioned.
“Combating ransomware requires a multilayer defensive approach, including intrusion prevention services to block application exploits, and advanced malware-detection tools that use machine learning and behavioral detection to identify evasive payloads,” he said.
Employee training is critical too, as most traditional ransomware attacks start with a phishing email. Phishing awareness, paired with technical defensive tools, can go a long way toward keeping your organization safe from ransomware like B0r0nt0K, according to Laliberte.
What Else to Do
The most active way to prevent B0r0nt0K from entering your Linux server is to close the SSH (secure shell) and the FTP (file transfer protocol) ports, said Victor Congionti, CEO of Proven Data.
“These are two of the main approaches … these hackers seem to be targeting to run the encryption scripts. The ransomware seems to use a base64 algorithm which converts characters to bits, which creates an extremely difficult decryption process to regain control,” he told LinuxInsider.
It is also possible that these attacks are being sent in through basic CMS (content management system) vulnerabilities. If users on Linux are utilizing a CMS to manage the content on their website, it is possible that this serves as a vulnerability in the security framework of the system, Congionti noted.
It is becoming more common for cybercriminals to find exposures in these seemingly secure applications, which allows them to make drastic changes to the security and permission settings of the network, he pointed out.
Most websites are deployed using a source version control system that can redeploy a clean version of the website in no time, noted Juniper’s Hahad.
“The only potentially permanent damage is to any content management system database if such a thing is used and is not backed up,” he said.
Don’t Pay – Do This Instead
Victims definitely should not pay the ransom. Instead, Hahad suggests the following:
- Restore the site from source control or backups;
- Change all admin passwords;
- Audit the software stack for known vulnerabilities that could have allowed the attacker in, and patch as appropriate;
- Audit the site’s configuration for any weak spots;
- Disable services that are not critical, and close those open ports;
- Ensure backups are operational; and
- Conduct a penetration test of the Internet-facing network footprint.
One final suggestion is to assume a breach, said Darin Pendergraft, vice president at Stealthbits Technologies.
“The best way to be prepared is to assume you will be breached, and then take steps to secure your servers and workstations accordingly,” he told LinuxInsider. “Assume an attacker is in your network and has control of a workstation. Then decide what data or IT resources they will want to steal or encrypt. Then take the extra steps to secure those resources.”
Top priority is to find your sensitive data, Pendergraft said. These include patient data, customer information and financial records. Make sure they are secured and accessible only by approved employees. Monitor those resources for unusual file behavior like bulk copy, delete or file encryption. Ensure you have an emergency plan in place to react within minutes.
“These steps won’t prevent an attack,” he acknowledged, “but they could mean the difference between a security incident and a full-blown breach.”
Thanks for this