Anti-Malware , Data Loss , Ransomware

South Korean Hosting Firm Pays $1 Million Ransom

Erebus Ransomware Gang Hits Pay Dirt After Encrypting Outdated Linux Servers
South Korean Hosting Firm Pays $1 Million Ransom
Sreenshot of a video from the Erebus gang demonstrating how ransom-paying victims can decrypt their files. (Source: Trend Micro)

South Korean web hosting firm Nayana has agreed to pay its attackers a record-shattering $1 million to unlock servers encrypted by ransomware.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The web host was hit June 10 by the ransomware attack, at 1:30 a.m. local time, leading to 153 of the company's Linux servers being forcibly encrypted. The company says it immediately reported the attack to authorities and launched an investigation, and was initially hopeful government cybersecurity experts might be able to crack the ransomware crypto.

Nayana first alerted its 3,400 customers to the breach on June 10, and has since been issuing regular updates. All of its customers appear to have been affected by the attack, which compromised not just website hosting, but also hosting databases and multimedia files.

Security firm Trend Micro says the ransomware appears to be a variant of Erebus, aka Elfe Rebus, which first appeared in September 2016 via malvertisements - malicious advertisements - that diverted users to the Rig exploit kit, which would infect the victim's systems with Erebus. Trend Micro said organizations in South Korea appeared to be the primary target of that campaign.

This isn't the first time that ransomware developers have adapted their attack code to target Linux devices, including servers (see Linux KillDisk Ransomware Can't Decrypt).

But Trend Micro says attackers' efforts were aided by Nayana running a bevy of outdated systems sporting known vulnerabilities, which - in theory - provided attackers with an easy infection vector. For example, Trend Micro researchers say, Nayana's website appears to be running Linux kernel 2.6.24.2, which was compiled in 2008, and uses Apache version 1.3.36 and PHP version 5.1.4, both released in 2006. All sport known vulnerabilities that could have been exploited to unleash a ransomware infection.

Nayana Negotiated With Attackers

Nayana said that it's been attempting to restore systems - using any customer-provided backups - after its own backups were encrypted by the ransomware. "We tried to recover the backed up data," the company said in a June 11 update. "But we found that both the internal backup ... and the external backup were infected with ransomware and all were encrypted."

Attackers initially demanded a ransom of 10 bitcoins per crypto-locked Linux server, which was then worth about $5 million. Nayana then negotiated a reduction in the ransom to 5.4 bitcoins per server - or 826 bitcoins in total - before reaching a final deal of 397.6 bitcoins, worth about $1 million.

Erebus has a multilingual ransom note, including this English-language version. (Source: Trend Micro)

Security researchers have found that some - but not all - ransomware gangs will negotiate with victims and in some cases even provide technical support designed to expedite victims' ability to procure and remit their ransom payment in cryptocurrency (see Ransomware Gangs Take 'Customer Service' Approach).

Nayana CEO Hwang Chilghong said in a Thursday update that he had agreed to pay the ransom demand in three installments. After sending the first installment that same day, he reported that attackers had sent decryption keys for some of the affected servers. Hwang said that once a decryption key was received, it could take at least two weeks to fully restore that batch of servers. "We will do our best to make every service normalized as soon as possible," he said, adding that "we will improve the security of the vulnerable areas with government agencies as much as possible."

The company said it has taken out loans to cover the $1 million ransom payment.

Record-Setting Ransomware Payment

While it's possible that other firms have paid ransoms of this amount - or more - on the sly, multiple security experts say this payment appears to be a record-setter. "This is the largest *paid* ransom I've seen to date. Definitely a game changer as ransomware goes more corporate," Jake Williams, a cybersecurity consultant and exploit development instructor for SANS Institute, says via Twitter.

In general, law enforcement agencies urge ransomware victims to never pay ransoms, while acknowledging that the final choice is up to victims. But they caution that paying will perpetuate such attacks, may lead attackers to try and extort even more money from a victim - as happened last year to Kansas Heart Hospital - and that there is no guarantee that criminals will honor their promise to share a working decryption key.

Nayana says the first batch of decryption keys that it received appear to be functioning as promised, but reported Sunday that the second batch of decryption keys was leading to some database errors, and that it was currently talking to its "hacker" to try and resolve them. The company said it was waiting to pay the third ransom installment until it verified that the second batch works as advertised, although by Tuesday it was proceeding with the third payment, thus suggesting the database restoration problems had been resolved.

Linux Ransomware Variant

Sometimes, security researchers can find flaws in the ransomware and crack its crypto (see Two New Ransomware Decryptors Give Victims a Free Out).

But Erebus is not yet on the list of ransomware that's been cracked, and it seems like its developers deployed their crypto carefully.

"The variant that infected Nayana's servers is Erebus ransomware ported to Linux servers," according to Trend Micro.

The security company says its analysis of the ransomware found that it employs the RSA algorithm to encrypt AES keys, that files have individual files have been encrypted using unique AES keys, and that the ransomware is designed to be tough to eradicate. "Its persistence mechanisms include adding a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted," the security firm says. "It also employs the Unix cron - a utility in Unix-like operating systems like Linux that schedules jobs via commands or shell scripts - to check hourly if the ransomware is running."

Solution: Preparation, Offline Backups

Security experts have long warned organizations that the best way to defend themselves against ransomware is to keep all systems patched and updated, to use anti-malware software, as well as to keep offline backups. As Nayana discovered, unless backups are stored offline, many types of ransomware will encrypt them too.

Trend Micro also recommends network segmentation, to restrict the impact of ransomware outbreaks, and monitoring network traffic, to help block and identify malware attacks. In addition, it recommends applying "the principle of least privilege" whenever possible to restrict the ability of programs to make modifications to Linux systems.

Ransomware designed to infect Linux servers is not new. In fact, Linux has been targeted by crypto-locking ransomware - including Crysis, Petya and Samsam - since 2014. "Erebus isn't the first file-encrypting malware to target Linux systems, or even servers," Trend Micro notes. "Linux.Encoder, Encryptor RaaS, a version of KillDisk, Rex, Fairware, and KimcilWare are all capable of targeting machines running Linux. In fact, Linux ransomware emerged as early as 2014, and were offshoots of open source projects supposedly designed for educational purposes."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network