Posted 22 February 2019 - 03:04 PM
Hi there
A client of mine had their web site encrypted. Demanding 20 BC (£60 000!!!) for keys (the site cant make that in a decade)
the extension is
.rontok
for which I cant find a single reference on the net.
bc address: 3P8nU1oLe23DtSuzFQMoVJdqcJA6xKnVJC[/size]
the server us running ubuntu 16.04
Edited by quietman7, 25 February 2019 - 09:32 AM.
Bleepin' Gumshoe
Posted 22 February 2019 - 04:23 PM
Malware developers targeting entire websites with ransomware is not new but I have not read any recent reports.
Did they leave a ransom note and if so, what is the actual name of the ransom note?
Can you provide the ransom note contents?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click 
Posted 22 February 2019 - 04:30 PM
unfortunately all we have is a screen shot of the ransom note (no one seems to recall actually deleting the note but we can no longer find it)
https://www.screencast.com/t/fJ7pQNS9TZUP
email : info@borontok.uk
which linked to https://borontok.uk
https://www.screencast.com/t/IVPUG3kDGs
Bleepin' Gumshoe
Posted 22 February 2019 - 04:43 PM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
Posted 22 February 2019 - 06:30 PM
The only files present are the encrypted data files.. there do not appear to be any tools installed to encrypt the files.
Bleepin' Gumshoe
Posted 22 February 2019 - 07:41 PM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
Security specialist and Ransomware expert
Posted 23 February 2019 - 01:38 AM
magicker
Edited by Amigo-A, 23 February 2019 - 03:51 AM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 23 February 2019 - 02:53 AM
If that is all you have, then submit (upload) samples to ID Ransomware (IDR) for Demonslay335 (Michael Gillespie) to manually inspect the files. Maybe he can get some information from them
I have uploaded a few samples via the form
Posted 23 February 2019 - 03:53 AM
magicker
They used and play with the name of the virus Brontok, which was more than 12-13 years ago.Of course, he is hardly active now, but his name is now used in this Ransomware.You need send me several encrypted files so that can more accurately identify the program.Use free services for transfer this files to PM:It is necessary to act immediately, without delay.
samples sent .. many thanks for your time
Security specialist and Ransomware expert
Posted 23 February 2019 - 04:27 AM
ok. I looked and sent the link to Demonslay335.
In my Digest this Rw now described as Rontok Ransomware
Edited by Amigo-A, 23 February 2019 - 03:05 PM.
My site: The Digest "Crypto-Ransomware" + Google Translate
Posted 23 February 2019 - 04:40 AM
Just to be clear this is a web server running Ubuntu 16.04
Ransomware Hunter
Posted 23 February 2019 - 10:35 AM
Do you remember what the ransom note name, and or extension of it was? Looks like a form, so I would suspect either .html or .php. Based on the encrypted files and their filenames, I can only suspect it is using a block cipher of 16 bytes (e.g. AES), which is basically de-facto for ransomware. The filenames are encrypted and base64 encoded (with URL encoding, thus the %2B and %3D), which is quite interesting. The files themselves as you may have seen are encrypted then saved as base64, which is unnecessary for sure.
We'll definitely need a sample of the malware to analyze. I'm suspecting it could be a PHP script, just based on the odd choice of encoding.
If you could share more details about the web site itself in PM, I can see if they provide any clues. E.g. was it a CMS and what version.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Bleepin' Gumshoe
Posted 23 February 2019 - 11:08 AM
.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief
If I have been helpful & you'd like to consider a donation, click
Posted 25 February 2019 - 01:09 PM
Hey, guys! Have you gotten news on that? Were you able to get the hash?
Thank you!
Posted 25 February 2019 - 01:36 PM
I have spoken to all involved and no one knows where the ransom note / encryption / decryption mechanism went to
this was called
Edited by magicker, 25 February 2019 - 01:39 PM.
0 members, 0 guests, 0 anonymous users
Back to top
