South Korean web hosting provider Nayana agreed to pay 397.6 Bitcoin after ransomware infected 153 servers with info belonging to more than 3,400 customers.
A ransomware infection that tore through web hosting provider Nayana is resulting in perhaps the biggest ransomware payout in history. In a series of agonizing updates on Nayana's website, the South Korea-based company announced it had agreed to pay 397.6 Bitcoin (roughly $1 million USD) in three installments, after negotiating down an original ransom demand of 550 Bitcoin (roughly $1.62 million at the time of the demand).
According to Nayana officials, the attack occured on June 10 and kicked off a lengthy negotiation process and frantic scramble for the company to raise funds. In total, the company said that the infection had encrypted data on 153 Linux servers, affecting more than 3,400 Nayana customers.
The first payment was made four days after the infection was discovered, with the company announcing the process of recovering the servers would be proceeding in batches. On June 20, Nayana issued another statement acknowledging the recovery process was taking more time than anticipated due to the large amount of data involved, and that some servers could take more than 10 days to restore.
The malware responsible for infecting the Nayana servers has been identified as a variant of Erebus ransomware. Researchers first discovered Erebus being spread via malvertising in September 2016. It later resurfaced in February 2017 with a new UAS bypass feature that allowed it to run at elevated privileges without displaying a prompt. At that point, with the bargain-basement ransom demand of $90, it appears Erebus was designed to be distributed indiscriminately in large spam campaigns in the hopes of infecting and getting as many victims to pay as possible.
Now targeting servers and adjusting their demands per victim
If the attackers responsible for the Nayana infection are the same ones behind the previous Erebus incarnations, it's abundantly clear they've switched their tactics. In addition to now targeting servers, they're also now obviously adjusting their demand amounts based on the extent of the data they've encrypted and its perceived value to the victim.
While the specific attack vector used to infect Nayana's servers has yet to be officially confirmed, researchers suspect vulnerabilities in outdated systems and software the company was using may be to blame.
It's an extremely painful reminder of how important it is not only to patch and replace older, vulnerable systems, but to protect those systems with endpoint security that can recognize and block attempted ransomware attacks during runtime — before any files are encrypted and any damage is done.