kaptn - Fotolia

Web hosting firm agrees to pay $1m ransomware demand

South Korean hosting firm Nayana agrees to pay more than $1m to restore data that was encrypted by a ransomware attack on its Linux servers on 10 June 2017

Web hosting firm Nayana was hit by Erebus ransomware infecting 153 Linux servers and more than 3,400 business websites the company hosts, according to security firm Trend Micro.

According to Nayana, the attackers initially demanded 550 bitcoins worth around $1.62m to decrypt the affected files, but on 14 June the company said it had negotiated a payment of 397.6 bitcoins worth around $1.01m to be paid in three instalments.

In a statement posted on Nayana’s website on 17 June, the company said it had already paid the second instalment.

The following day, Nayana started recovering the servers in batches, but some of the servers in the second batch are currently experiencing database errors, according to a Trend Micro blog post.

A third payment instalment is also expected to be paid, according to Trend Micro, but only after the first and second batches of servers have been recovered.

Cross-industry initiative No More Ransom advises organisations against paying the ransom demanded because there is no guarantee that the encrypted data will be restored.

Erebus was first seen on September 2016 when it was distributed through malvertising campaigns. It re-emerged on February 2017 using a method that bypasses Microsoft Windows’ User Account Control.

Trend Micro said it is still not certain how the Linux version was distributed, but the security firm’s researchers have speculated that Erebus may have used a Linux vulnerability such as Dirty Cow that can provide attackers with root access to vulnerable Linux systems.

Based on open source intelligence, Trend Micro said Nayana’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008.

Nayana’s website also uses Apache webserver version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006, and Apache vulnerabilities and PHP exploits are well known, the security firm said.

Read more about ransomware

  • Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Although this ransomware is limited in terms of coverage and is heavily concentrated in South Korea, Trend Micro said Unix and Unix-like operating systems such as Linux are poised to be lucrative for cyber criminals as ransomware continues to diversify and mature in the threat landscape.

The security firm notes that Unix and Unix-like operating systems are a ubiquitous part of the infrastructures that power many enterprises, used by workstations and servers, web and application development frameworks, databases, and mobile devices, among others.

“As we’ve seen in other families such as WannaCry, SamSam, Petya, or HDDCryptor, the capability to affect servers and network shares amplifies the impact. A single, vulnerable machine on a network is sometimes all it takes to infect connected systems and servers,” said Trend Micro.

Given the risks to business operations, reputation and bottom line, the security firm said enterprises need to be proactive in keeping threats such as ransomware at bay.

“There is no silver bullet to ransomware like Erebus, which is why IT/system administrators should have a defense-in-depth approach to security,” Trend Micro said.

Best practices for mitigating ransomware include backing up critical files; disabling or minimising third-party or unverified repositories; applying the principle of least privilege; ensuring servers and endpoints are updated; regularly monitoring the network; and inspecting event logs to check for signs of intrusions or infection.

Security mechanisms that can be considered include IP filtering, as well as intrusion prevention and detection systems; security extensions in Linux that manage and limit access to files or system/network resources; network segmentation and data categorisation to curtail and mitigate infection and further damage; and enabling privilege separation in Linux.

Read more on Hackers and cybercrime prevention