A South Korean Web hosting company, Nayana, announced that it had suffered a massive breach affecting its servers, allowing attackers to take control of an immense amount of user data. The company said it agreed to pay $1 million to a ransomware
operation that encrypted data stored on 153 of the company's Linux servers, which affected 3,400
customer Websites.
The hackers initially demanded $4.4 million in Bitcoin to return the data back to the company. But after a bit of back and forth negotiation, Nayana finally settled on a ransom fee of $1 million in Bitcoin, to be paid out over three installments.
Nayana is currently in the process of transferring the
stolen data back to its servers. The next step would be to create
backups of the data and then analyze it to confirm the integrity of
the recovered files. The company estimates the entire process will likely take between four to seven days to complete.
"It is very frustrating and difficult, but I am really doing my best,
and I will do my best to make sure all servers are normalized," said a Nayana representative.
Over the past year, ransomware demands have risen rapidly, tripling in price from 2015 to 2016. However, this latest attack is perhaps the largest known single payment made to date.
Trend Micro, a cybersecurity research firm, identified the ransomware affecting Nayana as Erebus. Once targeting computers running Microsoft Windows, Erebus has recently morphed into a variant that will now affect Linux systems. In a recent Trend Micro blog post, security firm researchers wrote:
As for how this Linux ransomware arrives, we can only infer that
Erebus may have possibly leveraged vulnerabilities or a local Linux
exploit. For instance, based on open-source intelligence, NAYANA's website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.
Additionally, NAYANA's website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.
Trend Micro researches went on to say, "It's worth noting that this ransomware is limited in terms of coverage,
and is, in fact, heavily concentrated in South Korea."
This latest incident is just another unfortunate case in a recent string of ransomware attacks. Weeks ago, thousands of systems were infected with a persistent malicious software now known as WannaCry.
Nearly all organizations and government agencies highly recommend against paying ransomware demands. But that's easy to say if you aren't the one affected and cannot get access to your data. So what do you do? What type of plan should you have in place?
Experts in this field weigh in with their thoughts and comments:
"As ransomware
continues to gain notoriety well beyond IT circles, the stories of those
impacted continues to astound. The recent exploit targeting a single
managed service provider, Nayana, and impacting thousands of their
customers is unique because it impacted such a broad scope of companies
with just one attack. Nayana's $1M payment is also the largest
ransomware payment ever made. This is quite a gamble considering there
is a very high likelihood the hackers still won't remove the encryption
that blocks Nayana's access to their data. This serves as a heavy gut
check for business and IT leaders - especially for MSPs and CSPs - to
fully assess their disaster recovery capabilities. They need to make
sure their IT resilience strategy can easily nullify ransomware attacks
with technology that allows for critical applications and data to be
recovered to the point just before an attack happens." -- Rob Strechay, VP of Product, Zerto
"Ransomware has proved to be one of the most effective ways to infiltrate an organization, and cyber criminals are increasingly becoming better at embedding malware into any number of generally consumed data types, from email to websites and even mobile apps. The extensive cyberattacks on Britain's National Health Service and the many cases before it, continue to reinforce the need for organizations to secure their environments, frequently protect their data, and implement early detection mechanisms to reduce the risk of data being held at ransom. Discussions need to take place at the board level about an organization's data recovery strategy and its intersection with its security and ransomware strategy in order to keep sensitive data out of the hands of the wrong people." -- Don Foster, Senior Director, Solutions Marketing, Commvault
"Ransomware attacking consumers and ransomware attacking companies are two different stories. While a regular user might not have any data critical enough to pay the ransom, companies usually have. Especially if it is not only about their own data, but data of their customers, in which case they just have to figure out how to get the data back or immediately go bankrupt. We have already seen quite a lot of ransomware attacks on the companies (San Francisco train system, massive WannaCry - just to name a few major public cases), but I believe that this is just the beginning. Relatively simple attack technique and enormously high reward are too tempting for cybercriminals. Every company today - including SMBs, enterprises and critical infrastructure providers - should be prepared and alert. Install OS and software updates, do backup, deploy endpoint protection - none of these steps can be ignored nowadays." -- Eugene Aseev, Vice President of Engineering at Acronis
"News of
another ransomware attack isn't surprising, as it's a matter of ‘when'
not ‘if' for most businesses. What is surprising is that Nayana opted to
pay the $1M ransom to restore its data. This illuminates just how
valuable data is and how far businesses are willing to go to protect it
and rescue it. Unfortunately, this habit of companies paying ransoms,
only encourages more hacks and larger ransoms and represents an approach
that is outdated and unsustainable. Instead, companies need to have an
infrastructure in place that can quickly and easily restore data to the
point just before an attack, allowing IT teams to simply ignore ransom
demands. Investing in such an infrastructure means you have an insurance
policy against, not just ransomware, but any data-damaging incident or
issue." --
Gary Watson, VP Technical Engagement, Nexsan##