A web hosting company has agreed to pay $1 million in bitcoins to hackers who managed to infect its 153 Linux servers with ransomware, encrypting 3.400 websites and all the data which they hosted.
According to a blog post of the Web Hosting Company from South Korea NAYANA, the unfortunate event occurred on June 10 when the ransomware hit the hosting servers. The attacker or attackers originally required 550 bitcoins (over 1,6 million dollars) to unlock the encrypted files.
However, the company negotiated with the criminals and agreed to pay 397,6 bitcoins (about 1,01 million dollars) in three installments to decipher their records.
The Web Hosting Company has already paid the two installments at this time and will pay the last installment after data recovery by two-thirds of its infected servers.
According to the security company Trend Micro, το ransomware που χρησιμοποιήθηκε για την επίθεση ήταν το Erebus το οποίο πρωτοεμφανίστηκε τον περασμένο Σεπτέμβριο και αναβαθμίστηκε τον Φεβρουάριο του τρέχοντος έτους με δυνατότητες παράκαμψης του User Account Control.
Host servers were running on the Linux 2.6.24.2 kernel, and researchers believe that Erasmus Linux ransomware was able to use known vulnerabilities such as DIRTY COW.
"The NAYANA Web Hosting Company uses Apache in 1.3.36 and PHP version 5.1.4. Both of them released 2006."
Erebus, is a ransomware that primarily targets users in South Korea, encrypts Office documents, databases, and media files using the RSA-2048 algorithm. It then adds the .ecrypt extension to the infected files before displaying the ransom note.
According to the analysis conducted by Trend Micro researchers, decryption of infected files is not possible without the RSA keys.
To reiterate: the only safe way to deal with ransomware attacks is to prevention. The better defense against Ransomware is user training as well as backup.
Most malicious software strikes if you open infected attachments or click on malware links that usually come in emails.
Make sure your systems run on the latest available version.