South Korean Web hosting provider NAYANA was made to pay $1 million in Bitcoins to con artists after its 153 servers were attacked by ransomware. 3400 business websites went offline because of that and all of the data associated with them was encrypted. According to a NAYANA blog post, it occurred on June 10. NAYANA had become a victim of cybercriminals – its hosting severs were compromised and con artists behind the virus demanded to pay 550 Bitcoins for returning the files to the original state. 550 Bitcoins equal to more than $1.6 million, so the amount is staggering, to say the least.
My boss tell me, you buy many machine, give you a good price 550 BTC
If you do not have enough money, you need make a loan
You company have 40+ employees, every employee’s annual salary $ 30,000
all employees 30,000 * 40 = $ 1,200,000
all server 550BTC = $ 1,620,000
If you can not pay that, you should go bankrupt.
But you need to face your child, wife, customers and employees.
Also, you will lose your reputation, business.
You will get many more lawsuits.
NAYANA was able to renegotiate the price, get it down to 397.6 Bitcoins (nearly $1.01 million), and cybercriminals agreed to accept it in three installments, but the company has still suffered a great financial loss. It currently paid out two of the installments and the last one would be sent once two-thirds of the affected data are restored.
Trend Micro, a security company, has made a post saying that the ransomware employed in the attack carries the name of Erebus. It was discovered for the first time in September of 2016 and was spotted again in February of 2017, carrying Windows User Account Control bypass capabilities. Since NAYANA’s hosting servers were using Linux kernel 126.96.36.199, Trend Micro believes that Erebus might have abused local Linux exploits or known vulnerabilities like DIRTY COW to take control of the root access of the system. The version of Apache the company used is run as a user of nobody (uid=99) – this may be the sign of a local exploit being abused during the ransomware attack. And it’s also important to note that the homepage of NAYANA employs Apache 1.3.36 and PHP 5.1.4 which were both released in 2006. The fact that many firms still use technologies that are more than 10 years old is a well-known problem and doing so puts them in danger. But, unfortunately, not all of them are ready to invest their money in cyber security.
Going back to the topic of Erebus itself, it targets databases, archives, Office documents and multimedia files. An RSA-2048 algorithm is used to encrypt them and the “.ecrypt” extension is then appended to all of them. The ransom note containing all the instructions on how to make a payment is displayed after that.
The public key which is generated locally is shared, but the private key is encrypted with an AES algorithm and another key which is randomly generated. Con artists don’t want to lose their profits, so they go great lengths to protect their cash cow. It’s imperative for companies to take note of that and do the same, otherwise attacks like this will continue to be very fruitful for people orchestrating them.
According to analysis carried out by Trend Micro, it’s impossible to decrypt the compromised data without using the RSA keys sold by cybercriminals behind Erebus. That’s why it’s imperative to frequently make backup copies of the files – even if the threat of this type manages to get on corporate servers, it could be eliminated with a program like SpyHunter and the data could then be restored. But avoiding ransomware is still the best method of dealing with it. It’s distributed through attachments in spam emails, corrupted links hosted on file-sharing services and XXX pages, and it can also be disguised as software updates. Company owners are strongly advised to make all the employers aware of that – if they take this step and also adhere to aforementioned guidelines, they won’t have to waste time on dealing with problems that could’ve been prevented and lose revenue as a result.