Borontok/Rontok virus - How to remove

Borontok aka. Rontok (B0r0nt0K, Botontok) virus is a new ransomware that got attention on February 22, 2019, when a user on BleepingComputer forum posted its ransom note which was demanding for 20BTC which in US dollars is around $76,000 at the moment of writing. Although crooks have been getting greedier with time, such amount is definitely unattainable for the majority of the population. But this isn’t the only thing that makes Borontok ransomware interesting. The targeted systems, encryption methods, ransom note and etc. are all to an extent different than other usual cryptoviruses, making it seem like the hacker actually put work in this threat.

This ransomware’s name fluctuates between B0r0nt0K, Borontok, Rontok, and Botontok, because of the used extension .rontok which is added on encrypted files names and a couple of given contact email addresses, payment website’s name, which typically in other threats are under the same name. But no matter what you decide to call it, it executes the same. The developer of this virus has mentioned its name ‘Vietnamese Hacker’ in the code, but this does not mean that Rontok ransomware is from that part of the world or made by someone from Vietnam. However, there is another similar sounding threat named Brontok virus, which has been active many years ago, yet is not confirmed to be the same thing.

Cybersecurity researchers figured that B0r0nt0K ransomware is designed to attack Linux servers but also has an ability to infect Windows OS too, therefore all users, despite their operating system, should be at least aware of Rontok malwareThis article will explain more about why Borontok ransomware is dangerous, what it does to the system after the initial phases of infection and how to remove the cryptovirus and potentially get the files back.

What is Borontok/Rontok ransomware

Borontok/Rontok virus is a ransomware, just like PewCrypt, AYE ransomware or Seed Locker, which means that it initiates specific changes in the victims’ files data making them impossible to open unless they have the unlocking key, which is unique for everyone and only hackers know it. That decrypting code can be bought for a ransom, which in this case is incredibly high – $76k (20BTC). While it isn’t clear whether this amount was chosen because the Rontok virus developers are new in the malware world and are unaware of the current average ransomware prices or this threat was developed to attack companies, not individuals, although that still is a lot. However, before Borontok ransomware can even ask for anything, it Has to do a lot in the system to make it work to the crooks and not the user.

Borontok Rontok ransomware ransom notes

When B0r0nt0K ransomware begins its maliciousness by altering registry and adding itself to various System directories in order to prevent antivirus from detecting it, ensuring the persistence even if the user shuts down the machine and also finding potential files it can encrypt. Since Linux and Windows have completely different mechanisms, it is impressive that Rontok cryptovirus can work on both systems. Once the main functions are set up ransomware begins the encryption, which is also unusual – Borontok ransomware locks the name with probably AES cipher, then encodes with Base64, URL encodes it and then adds .rontok extension to the file’s name. In the end, the primary title of a file gets replaced by a random string of letters and numbers. 

So that the user would know what happened to their computer because the other processes were executed in the background secretly, Borontok virus drops the ransom note and links to the payment website saying this:

Ops … Your file have encrypted Been
And your database file have encrypted Been of too
the UUID: [unique ID]
the Click to found here the get decryption key

And also this:

Send 20 BTC to this address:
Your files and databases will be destroyed on 3 days.
Negotiate? contact: [email protected]
[unique ID]
Enter the TX ID BTC Already the if you sent bitcoin …

Right now, there are a few websites, which work as an online ransom note but they all say the exact same thing, that files are going to be destroyed in 3 days if you won’t pay and that you can negotiate via email ([email protected], [email protected], [email protected]) with the hackers. Even if you decide to Contact them, there is a very little chance that so-called ‘Vietnamese Hacker’ will give back your files or lower the ransom to a reasonable amount.

Right now, there isn’t much information on how exactly Borontok ransomware is able to infect the systems, yet the probability is that the crooks are using the typical virus proliferation methods such as malspam, P2P networks, Trojans, exploit kits, camouflaged malicious links, fake updates, RaaS service and etc. The primary comment on BleepingComputer claimed that the files in the system were attacked after the virus encrypted client’s website and then moved on to the computer. While this technique is possible, knowing how much Borontok virus demands, it would be naive to expect that it only uses one way to proliferate, therefore full security measures need to be taken and Rontok ransomware should be removed from all the infected places in order not to escalate the further distribution.

How to eliminate Rontok virus and get files back

There is no easy solution when it comes to fixing all the damage from Borontok (Rontok) virus. This is one of the most unfortunate malware infections because even if you remove the ransomware, it does not guarantee that your now .rontok marked files will be back. Of course, users that have all the backups of their necessary files can feel relieved and restore data as shown below in the instructions. But beforehand, no matter if you have the snapshots or not, you must remove the Rontok cryptovirus, because it will continue on damaging your computer and locking newly added data, re-encrypting recovered files. In order to do so, we simply suggest trusting the B0r0nt0k ransomware issue to special anti-spyware programs, which know what they are doing and won’t leave space for faults.

If your compromised machine is running on MacOS then we suggest Combo Cleaner, and if the affected data is on Windows you should go for Spyhunter. You are not obliged to stick to these security applications and can choose any, yet make sure that they are not rogue antivirus tools, which can make the situation even worse. Here’s our list of malware removal programs with their ratings, that can help you decide. Only when the machine is completely free from ransomware and other threats you can begin either the recovery processes or using the computer normally again. If you haven’t gotten a chance to make backups or they were deleted by the Rontok virus, there isn’t much you can do get them back at the moment. However, since malware experts are working on the decryptor, we suggest storing the .rontok files in the computer and checking online for decryption updates on, or security forums.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Borontok/Rontok virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Borontok/Rontok virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of B0r0nt0K

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Borontok. You can check other tools here.  

Step 3. Restore Botontok affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Borontok/Rontok virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Borontok/Rontok virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *