The South Korean web hosting provider has agreed to pay ransomware hackers $1 million dollars. They agreed to pay this amount after their servers were hacked. All the data and files were encrypted and to access it back the company decided to pay the hackers. Hackers targeted the Linux servers effectively taking control of 153 servers. Moreover, 3,400 businesses websites were in the control of the hackers.
This news broke out after a blog post by NAYANA, the web hosting company. It stated that the event occurred on 10th June. The ransomware malware attacked its hosting servers taking control of it and demanded 550 bitcoins (roughly $1.7 million) to decrypt the encrypted files.
However, the web hosting company was able to negotiate the amount to 397.6 bitcoins (roughly $1.01 million). Moreover, to pay in three equal instalments.
Trend Micro the leading security software firm says that the ransomware used in this attack was Erebus. This ransomware was first spotted in the month of September last year. Erebus is capable of bypassing the Window’s User Account Control and take over the machine.
Experts believe that the ransomware was able to affect the Linux Kernel 220.127.116.11 due to its known vulnerabilities. Like Dirty Cow; or affecting the local Linux exploits to take over the control of the system. NAYANA was taken over by the hackers through the local exploit. The hosting company uses Apache version 1.3.36 and PHP 5.1.4 version, all were launched in the year 2006. Hence the obsolete versions of backend support were vulnerable to the attack.
Erebus ransomware is active in South Korea and is able to affect the data of the operating system. It encrypts the documents, archives, and multimedia files. Erebus uses RSA-2048 algorithm to take control and then appends the files with the .ecrypt file extension. When it is over with its control activity it starts to display the ransom note.
First scrambling of files with the RC4 encryption in 500kb sizes occurs. Later assigning of files with a key on a random basis takes place. The keys encode with AES encryption algorithm, which is present in the file. This key again encrypts with the RSA-2048 algorithm which is part of the file.
Without having access to the RSA keys the decryption of infected files is not possible. The research by Trend Micro proves this point as well.
Therefore, the safe way of dealing with ransomware is to prevent the attack altogether. In the case of NAYANA, they were not so lucky; paying the hackers was the only solution.