Stats & Trends
Jonathan Crowe
Jun 2017

$1 Million Ransomware Demand May Be Largest Amount Paid Yet

Photo by Zach Copley

South Korean web hosting provider Nayana agreed to pay 397.6 Bitcoin after ransomware infected 153 servers with info belonging to more than 3,400 customers.

A ransomware infection that tore through web hosting provider Nayana is resulting in perhaps the biggest ransomware payout in history. In a series of agonizing updates on Nayana's website, the South Korea-based company announced it had agreed to pay 397.6 Bitcoin (roughly $1 million USD) in three installments, after negotiating down an original ransom demand of 550 Bitcoin (roughly $1.62 million at the time of the demand).

According to Nayana officials, the attack occured on June 10 and kicked off a lengthy negotiation process and frantic scramble for the company to raise funds. In total, the company said that the infection had encrypted data on 153 Linux servers, affecting more than 3,400 Nayana customers.

The first payment was made four days after the infection was discovered, with the company announcing the process of recovering the servers would be proceeding in batches. On June 20, Nayana issued another statement acknowledging the recovery process was taking more time than anticipated due to the large amount of data involved, and that some servers could take more than 10 days to restore. 

A closer look at the ransomware involved: Erebus


Erebus ransom screen. Source: AhnLab

The malware responsible for infecting the Nayana servers has been identified as a variant of Erebus ransomware. Researchers first discovered Erebus being spread via malvertising in September 2016. It later resurfaced in February 2017 with a new UAS bypass feature that allowed it to run at elevated privileges without displaying a prompt. At that point, with the bargain-basement ransom demand of $90, it appears Erebus was designed to be distributed indiscriminately in large spam campaigns in the hopes of infecting and getting as many victims to pay as possible. 

Now targeting servers and adjusting their demands per victim

If the attackers responsible for the Nayana infection are the same ones behind the previous Erebus incarnations, it's abundantly clear they've switched their tactics. In addition to now targeting servers, they're also now obviously adjusting their demand amounts based on the extent of the data they've encrypted and its perceived value to the victim.

According to analysis from Trend Micro, this new variant of Erebus encrypts 433 file types, including the following:

  • Office documents (.docx, .xlsx, .pptx)
  • Databases (.sql, .mdb, .dbf, .odb)
  • Archives (.zip, .rar)
  • Email files (.eml, .msg)
  • Website-related and developer project files (.html, .css, .php, .java)
  • Multimedia (.avi, .mp4)

It also utilizes several unique persistence mechanisms, including: 

  • a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted
  • leveraging UNIX cron — a utility in Unix-like operating systems like Linux that schedules jobs via commands or shell scripts — to check hourly if the ransomware is running

Files are encrypted using layers of both RC4 and AES encryption. At the end of the process, Erebus drops two ransom notes named "_DECRYPT_FILE.html" and "_DECRYPT_FILE.txt."

SHA256 hashes:


How servers are getting infected

While the specific attack vector used to infect Nayana's servers has yet to be officially confirmed, researchers suspect vulnerabilities in outdated systems and software the company was using may be to blame. 

According to Trend Micro, Nayana's website runs on an old Linux kernel ( compiled in 2008, and it also uses versions of Apache (1.3.36 and PHP 5.1.4) released in 2006. Any number of security flaws and vulnerabilities — see Dirty COW (CVE-2016-5195) and the recent Apache Struts vulnerability (CVE-2017-5638) — could be to blame. 

It's an extremely painful reminder of how important it is not only to patch and replace older, vulnerable systems, but to protect those systems with endpoint security that can recognize and block attempted ransomware attacks during runtime — before any files are encrypted and any damage is done.  

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Stop ransomware no matter how it gets onto your network

See how Barkly’s Runtime Malware Defense blocks ransomware attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.