The South Korean web hosting provider NAYANA has paid $1 million in bitcoins to crooks after a Linux ransomware infected its systems. its 153 servers, encrypting 3,400 business websites and their data, hosted on them.
The ransomware encrypted files of 153 servers, roughly 3,400 business websites have been impacted.
“On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts.” reported Trend Micro that revealed the ransomware used in the attack is Erebus.
The attack happened on 10th June, the cyber criminals demanded a 550 bitcoins payment (over $1.6 million) to unlock the encrypted files. NAYANA after a negotiation with the cyber criminals has agreed to pay 397.6 bitcoins (around $1.01 million) in three installments.
The Erebus Linux ransomware was first spotted in September 2016, in February a new version was improved implementing Windows’ User Account Control bypass capabilities.
“NAYANA’s website runs on Linux kernel 126.96.36.199, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.” states Trend Micro..
“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts.”
The Erebus ransomware is targeting users in South Korea, it leveraged RSA-2048 algorithm to encrypt office documents, databases, archives, and multimedia files. The private key is encrypted using AES encryption and another randomly generated key.
The malicious code appends a .ecrypt extension to the encrypted files.
“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” continues the analysis. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”
(Security Affairs – Erebus ransomware, cybercrime)