Pierluigi Paganini June 21, 2017

The Erebus Linux ransomware was first spotted in September 2016, in February a new version was improved implementing Windows’ User Account Control bypass capabilities.

“NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.” states Trend Micro..

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts.”

The Erebus ransomware is targeting users in South Korea, it leveraged RSA-2048 algorithm to encrypt office documents, databases, archives, and multimedia files.  The private key is encrypted using AES encryption and another randomly generated key.

The malicious code appends a .ecrypt extension to the encrypted files.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” continues the analysis. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Erebus ransomware, cybercrime)

[adrotate banner=”13″]