











272 Shares

A web hosting company based in South Korea NAYANA has been infected with a ransomware called Erebus, the malware has infected 153 servers that run Linux OS and more than 3,400 business websites the company hosts.

The company ( NAYANA) said that the hackers required an unusual ransom of 550 Bitcoins (cryptocurrency), or pay US$1.62 million, in order to restore the affected/encrypted files from all the affected servers. NAYANA negotiated a payment of 397.6 BTC (around $1.01 million as of June 19, 2017) to be paid in installments.The web hosting company has now paid two payments at the time of writing and would pay the last payment of ransom after restoring the data from two-third of its infected servers.

Trend Micro (security firm) said:

“Erebus was first seen on September 2016 via malvertisements and reemerged on February 2017 and used a method that bypasses Windows’ User Account Control. Here are some of the notable technical details we’ve uncovered so far about Erebus’ Linux version” “NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.”

Users are recommended to do the following:

Backing up critical files

Disabling or minimizing third-party or unverified repositories

Applying the principle of least privilege

Ensuring servers and endpoints are updated (or deploying virtual patching)

Regularly monitoring the network

Inspecting event logs to check for signs of intrusions or infection