Earlier this month, South Korean web hosting company Nayana was badly hit by a ransomware attack – 153 of its Linux servers were put out of order, making over 3,400 clients’ websites unavailable.

The infection

It seems that the company was hit by a variant of the Erebus ransomware (identified by Trend Micro as RANSOM_ELFEREBUS.A). This type of ransomware looks for 433 different file types on web servers, encrypts them and demands a ransom for their ‘safe’ recovery.

In this case, the criminals demanded 550 bitcoin (around US$1.6 million), but after negotiation with the company reduced the demand to 397.6 bitcoin (around US$1 million)

They decided to pay the ransom

The company decided to pay the ransom to resume normal operations, although it didn’t explain why it decided to adopt this solution, nor why it thought it couldn’t restore data from backups. The payment was due in three instalments, the second of which was paid on 17 June. The day after, the company started the process to recover its data. The third instalment will be paid once all servers are recovered, but who knows if criminals are going to respect the agreement?

Servers were unpatched

According to Trend Micro, “NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. […] NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.” Basically, the company didn’t patch its web servers, leaving them vulnerable to intrusion.

Action to be taken to reduce the risk of ransomware

Keeping security defences up to date is the golden rule, but, as demonstrated by Nayana, this simple advice is often neglected – whether because of a lack of budget, forgetfulness or a number of other reasons.

Here is a list of actions you can take to reduce the risk of ransomware: