Remove Borontok Ransomware (+File Recovery)

How to Remove Borontok Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

UUID:
Send 20 BTC to this address:
3P8nU1oLe23DtSuzFQMoVJdqcJA6xKnVJC
.
Negotiate? contact: info@borontok.uk
[**********]
Enter the TX ID BTC Already the if you sent bitcoin …
[Check]

The Borontok infection, also spelled B0r0nt0K, is part of the ransomware family. It also goes by the name Rontok. And, that has to do with the extension, you get stuck with, once it strikes. As soon as the tool settles, corruption ensues. The tool uses cryptography algorithms to lock your files. It seizes control of every single one. Archives, documents, music, videos and, of course, pictures. Everything, you have on your PC, gets encrypted. The tool appends the ‘.rontok‘ extension at the end of each file. Thus, turning your data completely unusable. A music file called ‘today.mp3’ turns into ‘today.mp3.rontok.‘ And, once that happens, you can no longer access it. The only way to remove the encryption is via unique decryption key. And, to get it, you must pay a ransom. It’s a classic extortion scheme. Unlike other ransomware threats, with Borontok, you don’t get the classic ransom note. It’s not a text file, you can find on your Desktop, and each affected folder. It gets generated on the screen of a web browser window, and contains your UUID. You’ll need that UUID, later on, when you visit the Borontok.uk page. That page contains offers a login form. And, you’re expected to input your ID. The one, the infection gave you, after it encrypred your files. The process is as follows. After you enter the UUID, you get a message that urges you to pay 20 Bitcoins as ransom. You get 3 days, and you have to do it via the form on their site. If you don’t, and disobey in any way, they threaten to delete your files. In case, you’re unsure, 20 Bitcoins amounts to about 75 thousand US Dollars. You read that right. It says thousand. These people aren’t even worth a single dollar from you. They provide a list of requirements for you, but offer no guarantees. Don’t pay them a small fortune. Don’t follow their demands. Don’t contact them. Don’t reach out to them in any way. Do NOT comply. Compliance guarantees you nothing but regret.

How did I get infected with?

Borontok seems to appear out of thin air, one day. And, that’s because it uses trickery to invade undetected. It slips by you, unnoticed, by preying on your distraction, haste, and naivety. And, with the help of the old but gold invasive methods. The infection can pretend to be a system or program update. It can hide behind freeware, corrupted links, sites, or torrents. And, of course, it can turn to spam emails for help. You get an email that seems to be legitimate on the surface. It comes from a reputable source, like a well-known company. FedEx, DHL, Amazon you get the point. If you open the email, it claims you have to confirm some information or a purchase. Or, check an invoice. And, it urges you into clicking a link, or downloading an attachment. If you do, you end up with Borontok eating at your system. Don’t give into gullibility. Don’t rush, and rely on luck. Always do your due diligence. Take the time to be thorough. Vigilance goes a long way, and it can save you countless troubles. Remember that. Caution helps you to avoid problems, while carelessness invites them in.

Why is Borontok dangerous?

Do NOT pay the cyber kidnappers! Don’t comply with their demands. It won’t end well for you. Let’s examine your options, shall we? What happens once the Borontok threat strikes? You face a choice. You have to decide whether to comply, or not. Heed experts’ advice, and don’t. Here’s the thing. All, you have to go, is the word of cyber criminals. They provide no guarantees only promises. Yes, they promise to send you the decryption key, you need, once you pay. But what if they don’t? What if they get your money, and send you nothing? That’s a valid option. Then, you’re missing 75 000 US Dollars, and your files remain locked. There’s another option. The extortionists can, in fact, send you a decryption key. Only, once you apply it, you can discover that it’s the wrong one. So, again, you have less money and your data stays locked. And, what do you imagine is your best-case scenario? You pay, get the key, and it works? Well, what then? Yes, you remove the encryption, but the infection that performed it remains. What if it strikes again, mere minutes after you unlock your data? Is that a chance you’re willing to take? Don’t pay these people a dime. Don’t waste your time, energy, and money. Do not comply with their extortion scheme.

Borontok Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Borontok Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Borontok encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Borontok encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.