Company to cough up $1.32m ransomware payment

APTFilter AVGNews CERT-LatestNews FSecureNews KasperskyNews Malware McAfeeNews Security News SocialEngineering SophosNews SymantecNews ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic TrendMicroNews Uncategorized VulnerabilitiesAdobe VulnerabilitiesAll VulnerabilitiesApple VulnerabilitiesApplications VulnerabilitiesCisco VulnerabilitiesCrypto VulnerabilitiesDBMS VulnerabilitiesFirmware VulnerabilitiesGoogle VulnerabilitiesHardware VulnerabilitiesLinux VulnerabilitiesMicrosoft VulnerabilitiesMozilla VulnerabilitiesNetwork VulnerabilitiesOS VulnerabilitiesVMWare VulnerabilitiesVOIP

Adobestock 43266778

A South Korean web hosting company has agreed to pay a record-breaking US$1 million ($1.32 million) ransom to decrypt 153 Linux servers forcibly encrypted by ransomware.

The company, Nayana, said it has agreed to pay 397.6 bitcoins to unlock the crypto-locked server, worth around US$1 million — an amount that had been negotiated down from an initial demand of the equivalent of around US$5 million.

Nayana’s servers have been infected by the Erebus ransomware, according to Trend Micro, and the websites and files of around 3400 customers have been affected.

Nayana said the company has attempted to restore the encrypted content from backups, only to discover that both internal and external backups were also infected with ransomware and encrypted.

The company agreed to pay the ransom in three instalments, but held off on paying the third instalment after discovering that some of the decryption keys it had been provided after the second payment were not working.

But Nayana said it was working with the cybercriminals to resolve the issue, and subsequently revealed it is preparing to make the third payment, suggesting that the decryption key issue has been resolved.

Trend Micro’s analysis shows that Erebus ransomware encrypts files with RSA-2048 encryption. The variant that infected Nayana’s servers has been adapted to target Linux rather than Windows so it can infect servers, and contains persistence mechanisms that can ensure the ransomware is executed even after the system or server is rebooted.

It targets 433 file types, including all types of Microsoft Office documents, databases, compressed files and folders, email files, website-related files and multimedia files.

To avoid infection, Trend Micro is urging companies to keep systems and servers updated, avoid or minimise the use of third-party or unknown repositories or packages, and restrict permissions and privileges for programs.

Companies should also proactively monitor network traffic for threats, apply network segmentation and data categorisation techniques, and regularly back up files with at least three copies in two different formats.

Security experts have long expressed concerns that yielding to a ransomware attack and paying the ransom will only encourage more such attacks, because it is proving the technique to be effective. The decision also leaves companies vulnerable to further extortion by the same criminals.

Image credit: ©

Follow us on Twitter and Facebook

Please enable JavaScript to view the comments powered by Disqus.