Rewterz Threat Alert – Coinbased Smishing Campaign Dropping a Malicious URL
February 25, 2019Rewterz Threat Alert – WinRAR ACE Vulnerability Exploited Through Malspam to Install Backdoor
February 26, 2019Rewterz Threat Alert – Coinbased Smishing Campaign Dropping a Malicious URL
February 25, 2019Rewterz Threat Alert – WinRAR ACE Vulnerability Exploited Through Malspam to Install Backdoor
February 26, 2019Severity
Medium
Analysis Summary
A ransomware called B0r0nt0K has surfaced which is encrypting victim’s web sites and demanding a 20 bitcoin or approximately $75,000 ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.
The encrypted website which is under analysis was running on Ubuntu 16.04. No sample of the ransomware was found on the target site after it was encrypted. However, the following ransom note was found.
Furthermore, the ransom amount, the contact email address of the threat actors and the bitcoin address can be seen in the snapshot below.
The email address is associated with a malicious URL given below, whose source code contains the term “Vietnamese Hacker”, hinting at the potential origin of this ransomware campaign.
Impact
Files Encryption
Affected Products
Linux Servers
Windows Servers
Indicators of Compromise
URLs
hxxps[:]//borontok[.]uk
Extension
.rontok
Email Address
info@borontok.uk
Remediation
Since the initial attack vector of this attack is still unknown, vigilant behavior should be followed while clicking on links, opening emails, downloading any kind of software, documents or applications from the internet.
Observing the frequency of malspam campaigns, downloading email attachments should specially be avoided.
Moreover, all vulnerabilities should be timely patched and security updates should be installed regularly.