A ransomware called B0r0nt0K has surfaced which is encrypting victim’s web sites and demanding a 20 bitcoin or approximately $75,000 ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.
The encrypted website which is under analysis was running on Ubuntu 16.04. No sample of the ransomware was found on the target site after it was encrypted. However, the following ransom note was found.
Furthermore, the ransom amount, the contact email address of the threat actors and the bitcoin address can be seen in the snapshot below.
The email address is associated with a malicious URL given below, whose source code contains the term “Vietnamese Hacker”, hinting at the potential origin of this ransomware campaign.
Indicators of Compromise
Since the initial attack vector of this attack is still unknown, vigilant behavior should be followed while clicking on links, opening emails, downloading any kind of software, documents or applications from the internet.
Observing the frequency of malspam campaigns, downloading email attachments should specially be avoided.
Moreover, all vulnerabilities should be timely patched and security updates should be installed regularly.