Korean Hoster Coughs Up $1 Million to Ransomware Extorters

Written by

A South Korean web hosting firm has agreed to pay over $1m in Bitcoins (BTC) to regain access to its files after it and thousands of businesses it supports were hit by ransomware last week.

Nayana was infected by the Erebus ransomware, hitting 153 of its Linux servers and over 3400 customer websites, according to Trend Micro.

The attackers initially demanded 550 BTC ($1.6m) for the all-important decryption key, but in an update last week Nayana CEO Hwang Chil-hong claimed to have negotiated a payment just under 400 BTC, a little over a million dollars at the time of writing.

According to its updates, the firm appears to be paying the extorters in instalments and recovering the servers in batches, which seems to be going pretty smoothly, although Trend Micro warned that there’s still the chance that the firm could be blackmailed a second time.

That happened in the past to Kansas Heart Hospital in Wichita.

Erebus was first spotted at the end of 2016 spreading via malvertisements and re-emerged in February this year, bypassing Windows’ User Account Control to infect victim machines.

The AV giant continued:

“As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, Nayana’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like Dirty Cow that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.

"Additionally, Nayana’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache Nayana used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.”

Erebus is largely confined to South Korea, scrambles files in “layers of encryption algorithms”, and encrypts 433 file types; particularly web servers and the data stored on them, said Trend Micro.

Organizations running Linux deployments could increasingly be in the cross-hairs of ransomware authors, making regular back-ups and best practice steps such as network monitoring and segmentation, frequent patching of servers and endpoints, and IPS/IDS essential, the firm advised.

What’s hot on Infosecurity Magazine?