Hackers extorted a cool $1 million from South Korean web hosting provider

Whether through ransomware, or simply by breaking into computer systems and exfiltrating and deleting the data found on them with other means, cyber extortionists are going for the big fish: businesses.

Depending on how big and thriving the target is, the pay-off can be considerable, as evidenced by the latest successful attack on South Korean web host Nayana.


Recovering ransomware-infected servers

The attackers managed to infect 153 Linux servers, which were hosting the websites of some 3,400 businesses, with a Linux variant of the Erebus ransomware, and the malware started encrypting important files.

The owner of the company succeeded in negotiating the amount to be paid down to $1.1 million (the attackers initially asked for $1.62 million), and has already paid part of the ransom and has started recovering servers.

Ransomware delivery

It is still unknown how the hackers managed to deliver the ransomware to the target servers, but according to Trend Micro researchers, they likely leveraged leveraged vulnerabilities or a local Linux exploit.

“For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to,” they noted.

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.”

Unfortunately for the company, decryption of the encrypted files is not possible without the RSA keys that only the attackers possess.

But luckily for them, the attackers have actually provided the needed batches of keys after the company paid the ransom in several instalments. There have been many instances when companies and individuals paid the ransom, and received nothing in return, which is why law enforcement and infosec professionals generally advise against paying it.

Ransomware targeting Linux servers

Trend Micro researchers expect Unix and Linux systems to be often targeted by ransomware-wielding miscreants.

“They are a ubiquitous part of the infrastructures that power many enterprises, used by workstations and servers, web and application development frameworks, databases, and mobile devices, among others,” they noted.

They also pointed out that there is no silver bullet to ransomware like Erebus, and IT/system administrators have to implement a number of risk mitigation techniques to protect company systems and networks from similar threats.

These include doing regular backup and keeping the backup files safe, keeping server and endpoints updated, network and log monitoring, applying the principle of least privilege, and more.

Don't miss