Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Web Hosting Provider Pays $1 Million to Ransomware Attackers

South Korean web hosting company Nayana agreed to pay $1 million in Bitcoin after a ransomware attack hit 153 Linux servers.

South Korean web hosting company Nayana agreed to pay $1 million in Bitcoin after a ransomware attack hit 153 Linux servers.

The attack took place June 10 and resulted in over 3,400 business websites the company hosts being encrypted. According to the Nayana’s initial announcement, the attacker demanded 550 Bitcoins (over $1.6 million) to decrypt the infected files. Following negotiations, they lowered the ransom demand to 397.6 Bitcoins (around $1.01 million).  

The payments, the company announced, will be made in three batches, and the attackers will decrypt the affected servers accordingly. Two payments were already made, and the company is currently in the process of recovering the data from the first two server batches.

The ransomware used in this attack, Trend Micro reveals, was Erebus, a piece of malware that was initially spotted in September 2016 and which was already seen in attacks earlier this year, when it packed Windows User Account Control bypass capabilities.

Apparently, someone ported the ransomware to Linux and is using it to target vulnerable servers. Running on Linux kernel 2.6.24.2, which was compiled back in 2008, Nayana’s website is vulnerable to a great deal of exploits that could provide attackers with root access to the server, such as DIRTY COW, Trend Micro notes.

The company’s website also uses Apache version 1.3.36 and PHP version 5.1.4, both released in 2006 and known to include vulnerabilities. Most likely, the vulnerable Linux installation was used as an entry point to run the Erebus ransomware on Nayana’s systems. The Apache version that Nayana uses runs as a user of nobody(uid=99) and “a local exploit may have also been used in the attack,” the researchers say.

The ransomware appears heavily targeted to South Korea, although samples were submitted to VirusTotal from Ukraine and Romania too (Trend Micro suggests that there might be other researchers who have found the malware).

Erebus uses a sophisticated encryption method that makes decryption difficult without the RSA keys. The malware uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique AES key. However, the RSA-2048 public key is shared.

Advertisement. Scroll to continue reading.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys. The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file,” Trend Micro explains.

The ransomware targets Office documents, databases, archives, and multimedia files, being able to encrypt a total of 433 file types. However, the malware was built specifically to target and encrypt web servers and data stored in them, the researchers say.

“As exemplified by Nayana, Linux is an increasingly popular operating system and a ubiquitous element in the business processes of organizations across various industries—from servers and databases to web development and mobile devices. Data centers and hosting/storage service providers also commonly use machines running Linux, for instance,” Trend Micro concludes.

Related: Erebus Ransomware Bypasses UAC for Privilege Elevation

Related: When Ransomware Hits Healthcare: To Pay or Not to Pay?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.