A variant of the Erebus ransomware has hit a South Korean web hosting company hard, and disrupted the websites of thousands of businesses.
Nayana, a South Korean web hosting firm, was hit hard by a ransomware attack earlier this month which hit over 153 of its Linux servers, and impacting over 3,400 websites the company hosts for its business customers.
Nayana’s systems are thought to have been hit by a Linux variant of the Erebus ransomware, designed to encrypt files on web servers and demand a payment for the data’s safe return. In all, Erebus hunts for 433 different file types on web servers – including documents, databases, images and videos.
Two weeks later, Nayana is still attempting to recover normal operations for its customers and has been posting updates on its forum detailing its progress.
Initially, the criminals behind the ransomware attack demanded 550 Bitcoins (approximately US $1.6 million):
My boss tell me, you buy many machine, give you a good price 550 BTC
If you do not have enough money, you need make a loan
You company have 40+ employees, every employee’s annual salary $ 30,000
all employees 30,000 * 40 = $ 1,200,000
all server 550BTC = $ 1,620,000
If you can not pay that, you should go bankrupt.
But you need to face your child, wife, customers and employees.
Also, you will lose your reputation, business.
You will get many more lawsuits.
After some negotiation, however, the ransom demand was reduced to 397.6 Bitcoins (a little more than US $1 million).
Of course, even that is a considerable amount of money for a victim of a cybercrime to pay out. Because of a lack of available funds, Nayana has agreed with the blackmailers to pay the ransom in three installments and – according to ZDNet – lent shares in Nayana to a firm which has previously been interested in acquiring the web-hosting business.
Obviously, questions must be asked as to why Nayana had to resort to paying criminals for the safe return of its data, and why it felt it wasn’t in a position to restore customers’ servers from secure backups in a timely fashion instead.
But more than that there remains the question of just how Nayana’s servers managed to be compromised so thoroughly. Researchers at Trend Micro report that Nayana’s Apache web servers appear to have been left unpatched for years, leaving them vulnerable to exploitation via well-known security holes that could have given an attack root access.
Whether that is the route through which Erebus managed to sneak its way onto Nayana’s systems with such dramatic effect is uncertain, but what is clear is that if any company leaves itself unpatched and unprotected it is constantly in danger of being attacked again and again and again.
Ransomware isn’t going away. It’s one of the most effective ways for online criminals to make themselves a fortune. Ensure that you are properly protecting the computers you are responsible for, making regular secure backups, and deploying layered security measures to reduce the risk.