Ransomware Cripples South Korean Hosting Company, Ends Up Paying $1 Million Ransom

Have you ever wondered how damaging and expensive a ransomware attack can be exactly? Here's an example that should give you an idea.

On June 10, a Korean web hosting provider going by the name Nayana was hit by a file-encrypting malware known as Erebus. 153 Linux servers were affected which represent more than half of the company's entire infrastructure. Thousands of websites went down, and according to ZDNet's Korean edition, the list of victims includes the AIDS Prevention Association of Korea and the National University Department. Of course, countless small and medium-sized businesses were also left without an Internet presence, and because Nayana is still in the process of paying the ransom and bringing everything back to normal, the amount of lost money is still growing.

But why is the whole thing taking so long?

In the beginning, Erebus' operators demanded a ransom of a whopping 10 bitcoins per server which brings the total amount to 5 billion Korean Won or $4.4 million. Later, the crooks lowered the price to around 908 bitcoins, 2.7 billion Won, or $2.4 million. After some more haggling, however, they agreed to release the decryption keys for just under 400 bitcoins, which, at the time of writing is about 1.3 billion Won or $1 million. This, bear in mind, doesn't take into account the horrific blow the attack will have on the company's credibility and the financial costs associated with the inevitable lawsuits. The payment is supposed to be made in three installments (two of which have already been processed), and the servers should be decrypted in three separate batches. It's not an easy process.

Once the crooks send the decryption keys, the affected files need to be moved to a Windows server where they can be decrypted. If the recovery is successful, Nayana needs to make sure that everything is fine and configured properly, and then put the data back on a Linux machine that is hopefully better secured than the ones that were hacked. Not everything is going smoothly, and in a notice from earlier today, Nayana said that the whole process will likely take more time than initially expected.

Unfortunately, the South Korean hosting company has little other choices than to play by the crooks' rules. Yesterday, researchers from Trend Micro described the mechanism that encrypted the data on Nayana's servers. First, it created individual RC4 and AES keys for every single file. The data was scrambled with the RC4 key which, in turn, got encrypted by the AES key. Then, an RSA-2048 public key was used to encrypt the AES key. The layered encryption mechanism means that researchers are unable to recover the data without the RSA private key which is guarded closely by the ransomware operators. And now for the million-dollar question (quite literally).

Was it all avoidable?

Those of you who have been keeping up with the infosec news might remember that Erebus is the name of a Windows ransomware strain which first appeared in September 2016. Nobody can say for sure whether the Linux and the Windows families were created by the same people, but Trend Micro's researchers reckon that at least when it comes to the infection vector, the two are different. When it came out, the Windows version was distributed primarily through malvertising whereas the Linux strain most likely infiltrated Nayana's system after exploiting vulnerabilities in old software. After some digging around, the researchers discovered that the Linux kernel, the Apache, and the PHP versions Nayana uses on at least a portion of its infrastructure are woefully outdated.

As for backups, the hosting provider had not one, but two. Sadly, Nayana clearly failed to set them up properly because they too were encrypted by the ransomware.

It's quite obvious that Nayana wasn't prepared for a ransomware attack, and the Erebus' operators apparently knew this very well. In one of their emails, they told the hosting provider's CEO that if he can't raise the money for the ransom, his company should simply go bankrupt. Whether or not they're being too harsh is for you to decide. One thing is for sure, though. Nayana's customers aren't responsible for the hosting provider's security holes, and yet, in the end, they were the ones who were forced to bear the consequences.