South Korean web hosting provider pays $1m ransomware demand
South Korean web hosting company Nayana was hit by the Erebus ransomware and is paying 397.6 Bitcoins, the equivalent of US$1 million. The recovery process is expected to take weeks.
The company posted a blog last week that detailed the attack. According to the post, the initial ransom was 500 Bitcoins, but the CEO managed to negotiate the ransom down to 397.6.
While the CEO says that various local and international agencies are working to decrypt the files, they are not working fast enough.
Trend Micro TrendLabs provided more depth around the incident, which revealed that Nayana has paid the second of three payments. It has also started recovering servers in batches, but some of them are displaying errors.
Trend Micro isolated the ransomware type to the Erebus family, which was been around since 2016. It is able to bypass Windows User Account Control and also mainly concentrated in South Korea.
Trend Micro also says that Unix and offshoot systems such as Linux are used so widely across enterprises, servers, web development frameworks, databases and mobile devices that they are attractive targets for hackers.
"Office documents, databases, archives, and multimedia files are the usual file types targeted by ransomware. It’s the same for this version of Erebus, which encrypts 433 file types. However, the ransomware appears to be coded mainly for targeting and encrypting web servers and data stored in them," Trend Micro says in its blog.
Nayana's latest update says that the server decryption process is taking more time than anticipated. The company estimates that servers will take 2-5 days, with some servers taking as many as 10 days to recover.
However, there have been no failures in data recovery so far and the company is working towards 100%, with 30% recovery this week and 90% next week. The decryption process is predicted to take longer.
Nayana provides managed hosting, Linux, Windows, cloud, Webmail and image hosting.