Virtualization Technology News and Information
South Korean Web Host Agrees to Pay $1M Ransomware Demand

cybersecurity lock 

A South Korean Web hosting company, Nayana, announced that it had suffered a massive breach affecting its servers, allowing attackers to take control of an immense amount of user data. The company said it agreed to pay $1 million to a ransomware operation that encrypted data stored on 153 of the company's Linux servers, which affected 3,400 customer Websites.

The hackers initially demanded $4.4 million in Bitcoin to return the data back to the company. But after a bit of back and forth negotiation, Nayana finally settled on a ransom fee of $1 million in Bitcoin, to be paid out over three installments.

Nayana is currently in the process of transferring the stolen data back to its servers. The next step would be to create backups of the data and then analyze it to confirm the integrity of the recovered files. The company estimates the entire process will likely take between four to seven days to complete.  

"It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized," said a Nayana representative. 

Over the past year, ransomware demands have risen rapidly, tripling in price from 2015 to 2016. However, this latest attack is perhaps the largest known single payment made to date.

Trend Micro, a cybersecurity research firm, identified the ransomware affecting Nayana as Erebus. Once targeting computers running Microsoft Windows, Erebus has recently morphed into a variant that will now affect Linux systems. In a recent Trend Micro blog post, security firm researchers wrote:

As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA's website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.

Additionally, NAYANA's website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

Trend Micro researches went on to say, "It's worth noting that this ransomware is limited in terms of coverage, and is, in fact, heavily concentrated in South Korea."

This latest incident is just another unfortunate case in a recent string of ransomware attacks. Weeks ago, thousands of systems were infected with a persistent malicious software now known as WannaCry. 

Nearly all organizations and government agencies highly recommend against paying ransomware demands. But that's easy to say if you aren't the one affected and cannot get access to your data. So what do you do? What type of plan should you have in place? 

Experts in this field weigh in with their thoughts and comments:

"As ransomware continues to gain notoriety well beyond IT circles, the stories of those impacted continues to astound. The recent exploit targeting a single managed service provider, Nayana, and impacting thousands of their customers is unique because it impacted such a broad scope of companies with just one attack. Nayana's $1M payment is also the largest ransomware payment ever made. This is quite a gamble considering there is a very high likelihood the hackers still won't remove the encryption that blocks Nayana's access to their data. This serves as a heavy gut check for business and IT leaders - especially for MSPs and CSPs - to fully assess their disaster recovery capabilities. They need to make sure their IT resilience strategy can easily nullify ransomware attacks with technology that allows for critical applications and data to be recovered to the point just before an attack happens." -- Rob Strechay, VP of Product, Zerto

"Ransomware has proved to be one of the most effective ways to infiltrate an organization, and cyber criminals are increasingly becoming better at embedding malware into any number of generally consumed data types, from email to websites and even mobile apps. The extensive cyberattacks on Britain's National Health Service and the many cases before it, continue to reinforce the need for organizations to secure their environments, frequently protect their data, and implement early detection mechanisms to reduce the risk of data being held at ransom. Discussions need to take place at the board level about an organization's data recovery strategy and its intersection with its security and ransomware strategy in order to keep sensitive data out of the hands of the wrong people." -- Don Foster, Senior Director, Solutions Marketing, Commvault

"Ransomware attacking consumers and ransomware attacking companies are two different stories. While a regular user might not have any data critical enough to pay the ransom, companies usually have. Especially if it is not only about their own data, but data of their customers, in which case they just have to figure out how to get the data back or immediately go bankrupt. We have already seen quite a lot of ransomware attacks on the companies (San Francisco train system, massive WannaCry - just to name a few major public cases), but I believe that this is just the beginning. Relatively simple attack technique and enormously high reward are too tempting for cybercriminals. Every company today - including SMBs, enterprises and critical infrastructure providers - should be prepared and alert. Install OS and software updates, do backup, deploy endpoint protection - none of these steps can be ignored nowadays." -- Eugene Aseev, Vice President of Engineering at Acronis

"News of another ransomware attack isn't surprising, as it's a matter of ‘when' not ‘if' for most businesses. What is surprising is that Nayana opted to pay the $1M ransom to restore its data. This illuminates just how valuable data is and how far businesses are willing to go to protect it and rescue it. Unfortunately, this habit of companies paying ransoms, only encourages more hacks and larger ransoms and represents an approach that is outdated and unsustainable. Instead, companies need to have an infrastructure in place that can quickly and easily restore data to the point just before an attack, allowing IT teams to simply ignore ransom demands. Investing in such an infrastructure means you have an insurance policy against, not just ransomware, but any data-damaging incident or issue." -- Gary Watson, VP Technical Engagement, Nexsan


Published Thursday, June 22, 2017 3:02 PM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2017>