Editorials and informational articles

Erebus Malware – web Hosting Provider paid 1 million dollars to ransomware attacker

The South Korean web hosting provider Nayana agreed to pay the 1 million dollars ransomware in Bitcoin, after 153 Linux servers were infected with Erebus malware on the 10th of June.

After the attack, over 3400 business websites the company hosted were encrypted. According to the initial Nayana’s announcement, the attacker has requested 550 Bitcoins (1,62 million dollars). After the company negociated with the attacker, the ransomware demanded was 397.6 Bitcoins (around 1 million dollars).

As Trend Micro reveals, the ransomware used in this attack was Erebus. Erebus is a piece of malware that was initially spotted in September 2016 on Windows operating systems. Looks like someone has ported the ransomware to Linux. The ransomware is used to target vulnerable servers.

Nayana’s website was running on Linux kernel, a kernel compiled back in 2008. Additionally, Nayana’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of wich were released back in 2006. Samples of the ransomware were submitted to VirusTotal also from Ukraine and Romania.

Details about Erebus Malware

The malware uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique AES key. However, the RSA-2048 public key is shared. The ransomware targets Office documents, databases, archives and multimedia files, being able to encrypt a total of 433 file types. But the malware was build specifically to target and encrypt web servers and data stored in them.

erebus malware - ransomware note

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.