A web hosting company that succumbed to the threat of Ransomware and paid 100 million yen

ByMedithIT

153 Linux servers managed by Korea's web hosting company NAYANA, and the website, database, files etc of 3400 customer companies are encrypted into the Ransomware "Erebus (Elebus)" and become unusable, NAYANA In order to regain the data, I finally found out that Bitocoin (bit coin) equivalent to 1 million dollars (about 1,000 yen) was paid to the creator of Ransomware.

▒▒ 호스 팅 전문 기업 (주) 인터 넷 나야나, 웹 호스 팅, 도메인, 서버 호스 팅, 이미지 호스팅, 홈페이지 제작 ▒▒
http://www.nayana.com/bbs/set_view.php?b_name=notice&w_no=961

▒▒ 호스 팅 전문 기업 (주) 인터 넷 나야나, 웹 호스 팅, 도메인, 서버 호스 팅, 이미지 호스팅, 홈페이지 제작 ▒▒
http://www.nayana.com/bbs/set_view.php?b_name=notice&w_no=966

Ransomware "Erebus" aimed at Linux servers and countermeasures | Trend Micro Security Blog
http://blog.trendmicro.co.jp/archives/15227

According to the blog post released by NAYANA on 14th June 2017, NAYANA was infected with Ransomware on June 10, encrypted the customer's data, and 5 billion won as ransom (about 490 million won It was said that a bit coin equivalent to the yen) was requested. On the NAYANA side, you can not unlock the Ransomware, NAYANA will negotiate on the Ransomware side, finally bringing in a bit coin equivalent to 1.2 billion won (about 178 million yen) in June 19 We have reached an agreement by paying it in three times by the day. As a result, it seems that data recovery to customers has begun.

Although NAYANA does not reveal the infection route of Ransomuware, Trend Micro has posted on this subject to the security blog, and it is said that Ran Thamware infected by NAYANA is a subspecies of encrypted type Ransomuware "Erebu" about. Erebus was first discovered in September 2016 as Ransomuwa originally targeted only to Windows but a variant was also found in February 2017 and Erebus infected with Nayay's server this time Has been found to be a variant modified to work on Linux systems.


According to Trend Micro,NAYANA websiteIs operating on the Linux kernel version "2.6.24.2" in 2008, which includes "Dirty COW"There is a vulnerability called. In addition, the NAYANA website uses Apache version "1.3.36" released in 2006 and PHP version "5.1.4", both of which reported known vulnerabilities, and China Crime tools that exploit these vulnerabilities are also being sold in the underground market.

This time, it seems that these old vulnerabilities are infected with the server at the first clue, Trend Micro lists the increase of the Ransomware for Linux PCs and servers, and tells the company to keep the system up to date I warned the person in charge.