Nayana, a South Korean web hosting company, was hit by a ransomware where 153 Linux servers and over 3,400 business websites hosted by the company were affected.
Nayana posted on June 12 that the attackers have demanded for 550 Bitcoins or US $1.62 million for the decryption key. The company also stated that they were negotiating with the attackers of paying 397.6 Bitcoins and in installments. The payment process has already been started and the files on servers are being decrypted in batches.
Erebus, the ransomware that affected the files, was first discovered on September 2016 and has the capability of bypassing Windows’ User Account Control.
The ransomware affected Linux servers and it is also said that the vulnerabilities were already exploited for the attack to be possible. The website runs on Linux kernel 184.108.40.206, and this version had known vulnerabilities such as Dirty Cow and could be one of the exploitable vulnerabilities that could caused the attack to take place.
“NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts.”, stated by Trend Micro.
The primary focus of the ransomware is to encrypt office documents, databases, archives and multimedia files using RSA-2048 algorithm.
Best practices for mitigating the ransomware
- Back up critical files
- Disabling third-party repositories
- Servers and endpoints are up-to-date
- Regular monitoring of the network
- Inspect event logs