A Web Hosting Company Pays $1 Million To Ransomware Hackers To Get Their Files Back

$1 Million Paid To Ransomware Hackers

A South Korean web hosting provider, Nayana has agreed to pay $1 million to the hackers. A Linux Ransomware infected the company’s 153 servers and encrypted 3,400 business websites and their data.

The hackers demanded $4.4 million in Bitcoin to return their data to the company. Finally, the payment came to $1 million in Bitcoin after eight days of bargaining. The company agreed to pay 397.6 Bitcoins in three installments to get their files decrypted.

The company has already paid two installments at the time of writing the agreement. And the last installment would be paid after the company gets two-third of their data and files decrypted. The ransomware used in the attack was Erebus which was found last year in September. It was seen in Windows’ User Account Control bypass capabilities in February this year.

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW or a local Linux exploits to take over the root access of the system.

Researchers found, “The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack. Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4. Both the versions were released back in 2006.”

The primary target of this Erebus ransomware was the users in South Korea. It encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.

Researchers say, “The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys. The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using the RSA-2048 algorithm that is also stored in the file.”

The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another key generated randomly.

According to the analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

The main reason why viruses are introduced is due to opening infected attachments or clicking on links to malware usually in spam emails. So, beware of the links received through emails and attachments from unknown sources. Keep in mind “Do Not Click” such links and attachments. More than this, make sure that your system is running the latest version of installed applications.

All these will lead your system to get attacked by any of the malware viruses, may it be ransomware. That will result in payment to get back your files and data like the South Korean web hosting company is paying $1 million to the Ransomware hackers.