Ransomers have successfully extorted US$1 million (£800,000) from a South Korean web hosting firm after having successfully infected multiple servers with Erebus ransomware.
The company announced on 12 June in a message to customers that it had been attacked two days previously. On 14 June 2017 the web hosting company was able to negotiate the ransom down to 397.6 BTC, nearly $1.01 million, to be paid in three installments.
According to Nayana's website, the attackers originally demanded 5 billion won ($4.4 million, £3.5 million), but the CEO of the company, Hwang Chilghong, was able to negotiate that down to 1.8 billion won. However, the company's cash assets were only 400 million won, so he worked out stage payments with the attackers.
Nayana has reported the attack to the Korea Internet & Security Agency (KISA), part of the ministry of science, ICT and future planning.
According to a blog post by Trend Micro, the threat actors used the Erebus ransomware to infect 153 Linux servers and 3,400 businesses sites hosted by Nayana.
As of 19 June, two of the three payments had already been made. The final payment was expected to be made once the first and second batches of servers have been successfully recovered.
A local exploit may have been used in the attack though it is unclear exactly what exploits were used to infect the system as there isn't a clear understanding of what vulnerabilities are in the systems.
Researchers said it's worth noting the ransomware is limited in terms of coverage and is heavily concentrated in South Korea. Other samples however, have been submitted from security researchers in Ukraine and Romania.
Erebus was first spotted in a spate of malvertising attacks in September 2016 and then reemerged in February 2017 using a method to bypass Windows' User Account Control.
The recent Linux variant was similar to the updated variant discovered in February 2017, with OS-specific changes in the way it gains access to the system, Trend Micro Director of Hybrid Cloud Security Steve Neville told SC Media.
“The Windows version leveraged a strategy of bypassing the User Access Controls (UAC) to gain elevated privilege in order to execute,” Neville said. “The Linux version leverages a similar mechanism in Linux, but also adds a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted.”
Researchers warn to always make sure all of their systems are patched and up to date to prevent infection as well as the backing up of critical files.