An ISP in South Korea that was hit with a deep ransomware infection in recent days has agreed to pay more than $1 million to recover access to its encrypted data.
The company, Nayana, said that it had been hit with the Erebus ransomware about 10 days ago, and spent several days trying to recover its data. The attackers who targeted the company initially demanded about $4.3 million in Bitcoin, but Nayana officials began negotiating with the attackers and eventually got the price down to a little more than $1 million. The money will come from an investment from an outside firm, the company’s CEO said.
“In order to protect the interests of our customers, we have continuously negotiated with hackers.
We decided to get the decryption key value by paying about 1.3 billion [won]. The hacker has decided to set up a stake as collateral through the company that proposed the acquisition,” the company said in a statement on its site.
“We are in the process of paying for the current transfer limit increase, bit coin exchange, etc. We will notify you of the detailed restoration schedule for each server as soon as you receive the key.”
The Erebus ransomware that his Nayana infected more than 150 of the company’s Linux servers, and security researchers said it’s unclear how the malware got into the machines.
“As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel 126.96.36.199, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to,” Trend Micro said in an analysis of the attack.
“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.”
Erebus isn’t one of the more well-known ransomware variants, and Trend Micro said that the malware is mostly focused on infecting and encrypting files on web servers. The $1 million-plus ransom that Nayana is paying is one of the larger publicly known ransomware payments to date.
CC By license image from Karl Baron