Earlier this month, South Korean web hosting company Nayana was badly hit by a ransomware attack – 153 of its Linux servers were put out of order, making over 3,400 clients’ websites unavailable.
It seems that the company was hit by a variant of the Erebus ransomware (identified by Trend Micro as RANSOM_ELFEREBUS.A). This type of ransomware looks for 433 different file types on web servers, encrypts them and demands a ransom for their ‘safe’ recovery.
In this case, the criminals demanded 550 bitcoin (around US$1.6 million), but after negotiation with the company reduced the demand to 397.6 bitcoin (around US$1 million)
They decided to pay the ransom
The company decided to pay the ransom to resume normal operations, although it didn’t explain why it decided to adopt this solution, nor why it thought it couldn’t restore data from backups. The payment was due in three instalments, the second of which was paid on 17 June. The day after, the company started the process to recover its data. The third instalment will be paid once all servers are recovered, but who knows if criminals are going to respect the agreement?
Servers were unpatched
According to Trend Micro, “NAYANA’s website runs on Linux kernel 126.96.36.199, which was compiled back in 2008. […] NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.” Basically, the company didn’t patch its web servers, leaving them vulnerable to intrusion.
Action to be taken to reduce the risk of ransomware
Keeping security defences up to date is the golden rule, but, as demonstrated by Nayana, this simple advice is often neglected – whether because of a lack of budget, forgetfulness or a number of other reasons.
Here is a list of actions you can take to reduce the risk of ransomware:
- Regularly patch your systems for newly found vulnerabilities
- Run penetration tests to discover holes in your security perimeter
- Conduct a cyber health check to assess your company’s cyber risk exposure
- Train your staff to recognise phishing emails (which are often used as means of delivering ransomware)
- Adopt an ISO 27001-compliant ISMS to improve your company’s security posture.