South Korean Web Host Pays Ransomware

South Korean Web Host Pays Ransomware

South Korean web hosting provider NAYANA announced that they agreed to pay ransom in the form of Bitcoin to regain access to their web servers. The announcement was posted on June 15, 2017. The total ransom paid amounts to 397.6 Bitcoins which is about $1.01 million.

The ransomware deployed in the attack is known as Erebus. NAYANA’S servers are running Linux kernel 2.6.24 which is a 2008 version. Because it is so outdated, they are susceptible to Erebus and other cyber-attacks. Other outdated applications run by NAYANA include Apache version 1.3.36 and PHP version 5.1.4. According to Trend Micro, the Erebus malware infected 153 of NAYANA’s Linux servers. This, in turn, affected about 3,400 customers.

The original 2016 version of Erebus malware distributed advertisements. Maladvertisements direct web traffic to sites in order to make money through erroneous clicks and search engine redirects. By February 2017, Erebus evolved into a Windows malware. It infected machines and altered User Account Control (UAC) to elevate its permissions. From there, it takes control of a system, threatening to delete files unless a ransom is paid.

The current version of Erebus, the one that infected NAYANA’S servers encrypts files (types listed below) and does not relinquish control unless a ransom is paid.

Erebus file types that are targeted include:

  • Office documents (.pptx, .docx, .xlsx)
  • Databases (.sql, .mdb, .dbf, .odb)
  • Archives (.zip, .rar)
  • Email files (.eml, .msg)
  • Website-related and developer project files (.html, .css, .php, .java)
  • Multimedia files (.avi, .mp4)