A web hosting company called Nayana paid $1 million in Bitcoin to hackers for decrypting its files. The ransomware attack against the South Korean web provider affected 153 Linux servers in total.
The attack happened on June 10, and encrypted more than 3,400 business websites which Nayana hosted. The company’s initial announcement stated that the cybercriminals demanded 550 Bitcoins (approx. $1.6 million) to release the files they have locked. After some negotiations, the ransom decreased to 397.6 Bitcoins.
Nayana reported that the payments will be made in three batches, and the hackers will unlock the decrypted servers accordingly. As two of the payments were already made, the web provider is now trying to recover the affected data from the first two server batches.
According to Trend Micro researchers, the ransomware that was used in the attack against Nayana is called Erebus. This is a piece of malware which was first noticed last September. The malware was already used in ransomware attacks earlier this year, when it packed Windows User Account Control bypass capabilities.
Obviously, someone has ported the virus to Linux and is currently using it to target vulnerable servers. Due to the fact that it is running on Linux kernel 188.8.131.52, which was compiled back in 2008, Nayana’s website is also vulnerable to multiple exploits which could give hackers a root access to the server, such as DIRTY COW.
Apart from the above-mentioned, Nayana’s website uses Apache version 1.3.36 and PHP version 5.1.4, which were both released in 2006 and known to include some vulnerabilities.
Most probably, it was just the vulnerable Linux installation that was used as an entry point to run the Erebus ransomware on Nayana’s systems. According to the security experts, the Apache version used by the web provider, runs as a user of nobody(uid=99) and “a local exploit may have also been used in the attack.”
It turned out that the ransomware is mostly targeting South Korea, although some malware samples from Ukraine and Romania also were submitted.
Erebus ransomware uses a smart encryption method which makes decryption quite difficult without using RSA keys. The virus uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique AES key. Though, the RSA-2048 public key is shared.
“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys. The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file,” Trend Micro says.
Usually, Erebus targets Office documents, archives, databases, and multimedia files, having the ability to encrypt a total of 433 file types. Nevertheless, the experts believe that the ransomware was created specifically to target and encrypt web servers and the data stored in them.
“As exemplified by Nayana, Linux is an increasingly popular operating system and a ubiquitous element in the business processes of organizations across various industries—from servers and databases to web development and mobile devices. Data centers and hosting/storage service providers also commonly use machines running Linux, for instance,” Trend Micro states.