South Korean Web Host Pays $1m to Erebus Ransomware

Ordinary computer users usually have the idea that malicious infections are programs that attack personal computers, but that is not quite it. Keeping in mind that the main objective of cyber criminals is money, it is obvious that ordinary PCs might not be the best target. People behind Erebus Ransomware clearly understand that, as they have recently hit a web hosting company in South Korea.

South Korean web hosting firm Nayana was infected by Erebus Ransomware on June 10th, 1 AM. This malicious program is not a new player on the block. It was first detected in September 2016, and then it reappeared later on in February 2017. The infection would usually enter target systems employing a method that allows it to bypass Windows’ User Account Control. It seems that the new version of this program was modified to affect Linux, as the web host works with Linux servers. As a result, the malware infection affected 153 servers with more than 3400 customer websites on them.

It would be possible to say that Erebus Ransomware is going for a big scoop because the initial ransom amount was about $4.4m USD. According to the post on the firm’s website, the owners managed to renegotiate the ransom down to around $1m USD, but on June 12th the CEO also claimed that the money they currently have at hand was around $350,000USD. On the other hand, the criminals seemed to be sure Nayana could pay the ransom because this is the ransom note they conveyed to the company:

My boss tell me, your buy many machine, give you good price 550 BTC
If you do not havce enough money, you need make a loan

You company have 40 + employees,
every employee’s annual salary $30,000
all employees 30,000*40 = $1,200,000
all server 550BTC = $1,620,000

If you can’t pay that, you should go bankrupt.
But you need to face your childs, wife, customer and employees.
Also your will lost your reputation, business.
You will get many more lawsuits.

Now, the question is how Nayana got infected with such a sinister ransomware application. Computer security researchers suggest that a local exploit was used, as the infection seems to be concentrated in South Korea. What’s more, it is not just about the attack that focuses on a single target. It is also about the system that is targeted. It would not be too farfetched to say that the web hosting company did not take all the possible measures to ensure this infection would not happen.

Researchers from security firm Trend Micro suggested that the entire system was too vulnerable because it was simply old. The Nayana website uses a Linux kernel that was released back in 2008, while the Apache version used on the site was also released in 2006, which is 11 years ago! Such old components are about to have vulnerabilities that can be easily exploited by cyber criminals. Especially if they are no longer supported by tech support and they are not patched.

It actually displays one of the main problems with the South Korean internet service. The country seems to be leading the world in the cut-edge technology and innovations, but at the same time, there are still a lot of outdated systems in use even today. It is common to see a public computer running on Windows XP in the South Korea, and online shopping websites only recently began pushing out ActiveX from their purchase processes. Up until a few years ago, it was basically impossible to complete a purchase via any other browser than Internet Explorer.

Thus, whoever is attaching South Korean web servers individually; they clearly know the main vulnerabilities they have. It also raises more security concerns, indicating that attacks on firms of a similar profile can continue in the future.

As for Nayana, this is the official notice they posted on their blog on June 22nd:

This is the Internet Nayana directory Hwang Chilhong.

First, I would like to sincerely apologize to everyone who has been afflicted by the Erebus Ransomware infection.

Once the cyber attack took place in 2017 June 10th 1 AM, we have tried hard to look for ways to retrieve the files encrypted by the ransomware attack together with the South Korean Internet Promotion Agency and the Cybercrime Division.

Also, we tried to contact domestic and international security companies and white hackers, looking for a way to restore the encrypted files, and we also negotiated for the decryption key with the hackers themselves.

The hacker first requested 5 billion won in Bitcoins (~$4.4m USD), and after the negotiation, the ransom was lowered to 1.8 billion won (~$1.5m USD). However, the company’s assets could not come up with such an amount, and after a few more attempts, we negotiated to 397.6 Bitcoins (~$1m USD).

The message goes on to say that they have received a decryption key from the hackers, but it will take more time to recover the servers. The CEO still assures their customers that they are doing their best to restore the damaged data. The message has pessimistic undertones as they do not seem to believe they can restore the data 100%, and it clearly puts the business, which they have been building for 20 years, at the risk of bankruptcy.

Thus, the bottom line is that no one safe and corporations should feel the urge to eliminate potential vulnerabilities that could be easily exploited by cyber criminals. The more clients they have and the more data they store, the bigger is the responsibility to secure that information.

References:

  1. Robert Abel. Erebus ransomware attacked demanded $1.62 million from South Korean firm. SC Magazine
  2. Dan Goodin. Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware. Ars Technica
  3. Vencislav Krustev. $1 Million Paid to Erebus Ransomware by South Korea Company NAYANA. Sensors Tech Forum
  4. Nayana Customer Center. http://www.nayana.com/bbs/set_view.php?b_name=notice&w_no=961. Nayana
  5. Nayana Customer Center. http://www.nayana.com/bbs/set_view.php?b_name=notice&w_no=969. Nayana
  6. Ms. Smith. South Korean web hosting company infected by Erebus ransomware. Network World