Erebus Ransomware attack: South Korean Nayana pays $1M

Erebus Ransomware

Nayana, a South-Korean web hosting company paid $1.01 million in ransom after it was attacked by hackers using Erebus Ransomware. Security researchers at TrendMicro, a Japanese cyber security company named the malware ‘Linux Ransomware’ as it locked Nayana’s 153 Linux servers and over 3,400 business websites it hosts. The assets being locked included the database, videos, and images.

The hackers demanded an unprecedented 550 Bitcoins (BTC), or US$1.62 million from the company to decrypt the data. As of 29 June 2017 when the company last updated the status on its website, 73 of Nayana’s infringed servers were decrypted and 64 were in recovery.

Indeed, it is scary and shocking incident for anyone involved in a business that involves storing consumer data online.

Currently, the company is facing difficulty in recovering the data as most of the documents are in the Korean language which makes it difficult (and in some instances impossible) for the encryption-decryption program to process them.

When Did The Attack Take Place?

The incident was first reported by Nayana on its website on 10 June 2017 in a notice titled “Emergency Announcement: Server check due to ransomware attack”. The hackers infected Nayana’s servers at 1:00 am on June 10th. The web hosting company also informed Korea National Internet Development Agency (KISA) about the incident.

Nayana Erebus Ransomware
Source: Nayana

The company was able to negotiate with hackers and trim the final amount to 397.6 BTC (around $1.01 million) payable in three installments. The company’s CEO Hwang Chilghong was desperate to resolve the situation by offering his cash assets of 400 million won (around $349376).

How Did Hackers Break Into Nayana’s System?

The security firm TrendMicro assessed the attack to have been caused by a local Linux exploit. “Based on open-source intelligence, NAYANA’s website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to,” wrote Ziv Chang, Gilbert Sison, and Jeanne Jocson of TrendMicro.

Apparently, the hackers broke into Nayana’s servers using PHP exploits and Apache vulnerabilities. The web hosting company was using Apache version 1.3.36 and PHP version 5.1.4 released in 2006.

Let’s clear that Nayana is neither the first nor the last company to be hit by ransomware. It’s just that hackers saw a low-hanging fruit in Nayana’s case.

Why Now?

Cyber-attack incidents involving ransomware have increased in the past few months, partly due to a high-profile theft of cyber weapons stockpiled by NSA. The Erebus Ransomware was first discovered in 2016 and 2015 when hackers used remote desktop protocol (RDP) brute force tactics.

Recently, Petya Ransomware hit Ukraine, Russia, and some organizations in the European region. Among the major victims of Petya were British advertising firm WPP, Russian oil giant Rosneft, law firm DLA Piper and Ukraine’s central bank. Prior to Petya, the ‘WannaCry’ Ransomware hit organizations across Europe. The British National Health Service was the hardest hit by WannaCry.

The Implications

A single, vulnerable machine on a network is sometimes all it takes to infect connected systems and servers,” notes TrendMicro’s blog. True that.

It took only one home Wi-Fi modem for hackers to break into the corporate network of IDT, an American public telecommunications company having revenues north of $1.6 billion and 1000 employees across 20+ countries.

I’ve written consistently about how the ransomware is a bigger threat than any other malware we’ve seen in the recent past. There are reasons. You lose access to your data; you also end up paying money while being unsure if you’ll recover the data 100% even after paying the ransom. Plus, you never know the real motive of a hacker mounting a ransomware attack, as was the case in IDT Corp.’s case. The company was attacked using EternalBlue and DoublePalsar stolen by hackers from NSA’s stockpile of cyber weapons. The hacker used ransomware as a disguise to steal IDT’s employee credentials. The arrival vector for the IDT-aimed attack was a home Wi-Fi of one of IDT’s contractors.

In other cases, such as South-Korea based Nayana and WannaCry, the aim has been to mint money by encrypting data and demanding heavy ransom in exchange of decrypting the data. Don’t wait for the authorities and corporations to act on your behalf, they are also under attack. At least, follow the best practices mentioned below and keep your guard on.

Best Practices

  • Regularly backup your sensitive data (at-least-monthly/quarterly)
  • Avoid reusing one password across multiple accounts
  • Regularly install the security updates and software patches offered by Hardware & software vendors (Windows should be high on your list)
  • Do not open shady email attachments or visit websites you do not trust
  • Use additional Anti-virus software in addition to basic system-default software

These are just baseline best practices you may adopt at an individual level. For corporate entities and companies handling consumer data, you need to adopt additional measures of securing your machines, software, and networks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories: Internet Security and Privacy News
Tags: ransomware