South Korean hosting provider NAYANA infected by Erebus ransomware, it paid $1 Million to crooks

Pierluigi Paganini June 21, 2017

South Korean web hosting company NAYANA was hit by the Erebus ransomware that infected 153 Linux servers and over 3,400 business websites the company hosts.

The South Korean web hosting provider NAYANA has paid $1 million in bitcoins to crooks after a Linux ransomware infected its systems. its 153 servers, encrypting 3,400 business websites and their data, hosted on them.

The ransomware encrypted files of 153 servers, roughly 3,400 business websites have been impacted.

“On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts.” reported Trend Micro that revealed the ransomware used in the attack is Erebus.

The attack happened on 10th June, the cyber criminals demanded a 550 bitcoins payment (over $1.6 million) to unlock the encrypted files. NAYANA after a negotiation with the cyber criminals has agreed to pay 397.6 bitcoins (around $1.01 million) in three installments.

The web hosting provider has already paid two installments and would complete the payment once recovered its data from two-third of the infected servers.
“On June 18, NAYANA started the process of recovering the servers in batches. Some of the servers in the second batch are currently experiencing database (DB) errors. A third payment installment is also expected to be paid after the first and second batches of servers have been successfully recovered.” continues Trend Micro.

The Erebus Linux ransomware was first spotted in September 2016, in February a new version was improved implementing Windows’ User Account Control bypass capabilities.

The experts observed that the servers of the Korean hosting provider were running on Linux kernel, a circumstance that exposed them to known attacks such as DIRTY COW Linux exploit. It is also possible that the attackers exploited flaws in outdated Apache version 1.3.36 used by the company.

“NAYANA’s website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.” states Trend Micro..

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts.”

The Erebus ransomware is targeting users in South Korea, it leveraged RSA-2048 algorithm to encrypt office documents, databases, archives, and multimedia files.  The private key is encrypted using AES encryption and another randomly generated key.

The malicious code appends a .ecrypt extension to the encrypted files.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” continues the analysis. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Erebus ransomware, cybercrime)

[adrotate banner=”13″]

you might also like

leave a comment