The hosting provider paid a million dollars to ransomware hackers

Original author: Ziv Chang, Gilbert Sison, and Jeanne Jocson
  • Transfer


On June 10, NAYANA, a South Korean hosting company, was the victim of an Erebus ransomware attack (Trend Micro detected RANSOM_ELFEREBUS.A). As a result, 153 Linux servers and more than 3400 business sites hosted by the hosting provider were infected.

In a message published on the NAYANA website on June 12, the company said that the attackers demanded an unprecedented ransom of 550 bitcoins (BTC) or $ 1.62 million for decrypting files on all infected servers. Here are some of the negotiations with ransomware:
My boss told me to give you a good price, since you buy a lot of cars,
550 BTC.
If you don’t have enough money, you need to take a loan.

You have 40 employees.
Each employee’s annual salary is $ 30,000.
All employees are 30,000 * 40 = $ 1. 200,000
All servers 550BTC = $ 1,620,000

If you cannot pay, you are bankrupt.
You will have to face your children, wife, clients and employees.
You will also lose your reputation and business.
You will receive many lawsuits.

Later on June 14, NAYANA announced an agreement to pay by installments the amount of 397.6 BTC (about $ 1.01 million as of June 19, 2017). On June 17, the company announced that the second of three payments was made. On June 18, NAYANA began rebuilding the server in batches. Currently, some servers in the second batch have database errors. The third payment will be paid after the successful restoration of the first and second batch of servers.

Although this is not comparable in the amount of the ransom, the case is reminiscent of what happened to a hospital in Kansas, whose employees did not gain full access to encrypted files after payment. Instead, the ransomware demanded a ransom again.

Erebus was first seen in September 2016, then it spreadthrough malicious ads . He reappeared in February 2017, already using a method that bypassed Windows account control. Here are some of the technical details that are available about the Linux version of Erebus:


Figure 1: Erebus has a multilingual ransom notice (English option above)


Figure 2: A frame of a demo video from cybercriminals showing how to decrypt files

Possible virus attack vector


Regarding how Linux systems get infected, we can only assume that Erebus may have used the Linux exploit. For example, based on open source information, the researchers found that the NAYANA site runs on the Linux 2.6.24.2 kernel, which was compiled back in 2008. Therefore, security threats, such as DIRTY COW , can provide attackers with root access to vulnerable Linux systems.

In addition, the NAYANA website uses outdated versions of Apache 1.3.36 and PHP 5.1.4, both of which were released back in 2006. The version of Apache used by NAYANA runs under the user nobody (uid = 99), which indicates that some previously known exploits could also be used in the attack.


Figure 3: Erebus Linux Rasomware

It is worth noting that this ransomware virus is limited in geographical coverage and, in fact, the attacks are concentrated in South Korea. However, the VirusTotal service data show a different story - several samples were also obtained from Ukraine and Romania. A possible reason may be that they were sent by other researchers in the field of information security.

Encryption procedure


Each file encrypted by Erebus will have the following format:

Header (0x438 bytes)
RSA-2048-encrypted original filename
RSA-2048-encrypted AES key
AES-encrypted RC4 key
RC4-encrypted data

First, each individual file is divided into blocks of 500 kB and scrambled using the RC4 encryption algorithm with randomly generated keys. Then, the RC4 key is encoded by the AES encryption algorithm. The AES key is again encrypted using the RSA-2048 algorithm, the public key of which is stored in the file.

Each file has one RSA-2048 public key common to all. RSA-2048 keys are generated locally, while the private key necessary for decryption is stored in the AES key encrypted using an additional randomly generated (possibly based on Machine ID) key. Analysis shows that decryption is not possible without receiving RSA keys.

Target File Types


Typically, encryption is directed to office documents, databases, archives, and multimedia files. This is also true for this version of Erebus, which encrypts 433 file types, but also focuses on encrypting web servers and the data stored on them.

The table below shows the folders that Erebus is looking for.
var / www / - folders in which files / data of websites are stored, and ibdata files are used in MySQL:
Included directories:Excluded directories:
var / www /$ / bin /
Included files:$ / boot /
ibdata0$ / dev /
ibdata1$ / etc /
ibdata2$ / lib /
ibdata3$ / lib64 /
ibdata4$ / proc /
ibdata5$ / run /
ibdata6$ / sbin /
ibdata7$ / srv /
ibdata8$ / sys /
ibdata9$ / tmp /
ib_logfile0$ / usr /
ib_logfile1$ / var /
ib_logfile2/.gem/
ib_logfile3/.bundle/
ib_logfile4/.nvm/
ib_logfile5/.npm/

How to protect yourself?


One vulnerable machine on the network is sometimes enough to infect all connected systems and servers. Given the risks to operations, reputation and profits, companies should take the initiative in addressing such threats. Risk mitigation recommendations include:

  • Backing up important files
  • Disabling or minimizing the number of third-party or unverified repositories
  • Least Privilege Application
  • Updating server and terminal software (or using virtual patches)
  • Regular network monitoring
  • Check event logs for signs of intrusion or infection

Hash functions SHA256 RANSOM_ELFEREBUS.A:
0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f
d889734783273b7158deeae6cf804a6be99c3a5353d948

if there is a new message if it receives a new message.

Also popular now: