A Web hosting service recently agreed to pay 1 million USD to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently.
The South Korean Web host, Nayana, said in a blog post published last week that initial ransom demands were for five billionwon worth of Bitcoin, which is roughly $4.4 million. Company negotiators later managed to get the fee lowered to 1.8 billion won and ultimately landed a further reduction to 1.2 billion won, or just over $1 million. An update posted Saturday said Nayana engineers were in the process of recovering the data. The post cautioned that that the recovery was difficult and would take time.
“It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized,” a representative wrote, according to a Google translation.
The ransomware behind what may be a record payout is known as Erebus. Once targeting only computers running Microsoft Windows operating systems, Erebus was recently modified so that a variant will work against Linux systems. How Erebus managed to get installed on the Nayana servers is not clear, but given the woefully unpatched software the Web hosting service appeared to run, it’s possible the attackers exploited a well-known vulnerability. In a blog post published Monday, researchers from security firm Trend Micro wrote:
As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel 184.108.40.206, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.
Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user ofnobody (uid=99), which indicates that a local exploit may have also been used in the attack.
The Erebus variant that hit Nayana appears to have been designed to target Web servers.