South Korean firm pays $1m to recover files encrypted by Linux ransomware

A South Korean web hosting service provider has agreed to pay $1 million to hackers who took control of the former's servers using a Linux ransomware.

Using the Linux ransomware, hackers encrypted important files, photos, and databases belonging to a web hosting service and demanded 500 bitcoins as ransom to decrypt the encrypted files.

The hackers in question had initially demanded up to $1.62 million (equivalent to 550 bitcoins) but later settled for $1 million after NAYANA, the web hosting provider, agreed to pay the sum in three installments. Reportedly, NAYANA has already paid two installments and will pay the final one after recovering data encrypted by the Linux ransomware.

Ransomware that can infiltrate Macs uncovered by researchers

YOU MAY ALSO LIKE:

According to Japanese cyber-security firm Trend Micro, the Linux ransomware employed by hackers to encrypt data in NAYANA's servers is commonly known as Erebus. Erebus is powerful enough to encrypt files and create HTML files demanding a ransom on desktops. Erebus can also clear Windows Volume Shadow Copies so that affected users cannot recover their files through this route.

Researchers believe Erebus may have infiltrated NAYANA's servers using a known Linux vulnerability. The service provider's servers are based on Linux kernel 2.6.24.2 which is a decade old and contains vulnerabilities that enable hackers to gain root access to affected systems.

Aside from an outdated Linux kernel, NAYANA's websites also run Apache version 1.3.36 and PHP version 5.1.4 which were released in 2006 and are highly vulnerable to modern hacking technologies. Basically, infiltrating NAYANA's systems and encrypting the files within wasn't much of a task for hackers behind the ransomware attack.

Malware attacks behind 2016 Ukrainian power outage, researchers reveal

What makes the ransomware attack even more potent is that NAYANA or security experts cannot decrypt encrypted files without getting hold of the RSA keys. RSA keys are encrypted by hackers using AES encryption and another randomly generated key so it is possible for experts to get hold of these keys.

"Given the risks to business operations, reputation, and bottom line, enterprises need to be proactive in keeping threats like ransomware at bay. There is no silver bullet to ransomware like Erebus, which is why IT/system administrators should have a defense-in-depth approach to security," noted researchers at Trend Micro.

Last year, research by Citrix found that 20 percent of medium to large UK businesses had no plans on how to deal with potential ransomware attacks. The survey also revealed that 33 percent of firms were building a stockpile of digital currency in case of a ransomware attack, and more than 35 percent of large firms would pay more than £50,000 to regain access to important intellectual property or critical data.

SMB vulnerabilities are major cause of WannaCry ransomware attacks: Malwarebytes

“This research has further highlighted the sheer volume of questions to be answered by companies across the UK, with many simply not prepared for a cyber attack that could result in the loss of mission-critical data, reduced revenues and a decline in public trust,” said Chris Mayers, chief security architect at Citrix.

In May, security firm ESET warned that small and medium businesses were highly vulnerable to cyber-attacks because of lack of cyber-awareness training imparted to their employees.

"A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, senior security researcher at ESET.