Almost four days ago, HackRead reported that a new version of ransomware called Erebus has affected more than 153-Linux based networks and has targeted one South Korean web hosting company, NAYANA in particular.
The ransomware caused massive data infiltration whereby various multimedia files, databases, and other critical network-level information were encrypted. The attackers demanded a ransom whose amount at the time was not disclosed.
The ransom demanded and paid
The most recent update by the company says that the total ransom demanded amounted to $4.4 million to be paid in Bitcoins. The ransom, however, was brought down by NAYANA from $4.4m to $1.8m. This was again reduced to a further $1.2m.
The company allegedly paid the ransom in four installments and now the payments have been made. This implies that around $1 million have been paid due to a mere ransomware attack that affected more than 3,000 clients of the company.
Indeed, this is a loss to an extraordinary extent as not only did NAYANA suffer a loss in reputation due to having its customers getting attacked, but it also suffered an enormous financial loss by paying the ransom.
This certainly acts as a motivator for other ransomware developers to exploit similar companies for exorbitant returns.
The recovery process
One would expect that after paying the entire amount, the system would recover in time. However, to the clients’ disappointment, the network has not yet been restored and officials of the company say that the recovery process will take time.
This incident perhaps acts as leverage for other ransomware developers who will now use the same techniques to entrap the victims and force them to pay ever-larger amounts in ransom.
In fact, Erebus was present in the cyber landscape since 2016 when it only affected machines running the Windows operating system. The malware simply used conventional hacking techniques to hijack computers.
Through the years, however, the ransomware evolved into becoming more versatile only to end up exploiting the vulnerabilities in Linux-based networks.
In fact, in February 2017, it was reported that the malware is capable of bypassing User Account Control (UAC) on Windows and hence gain easy access to a person’s computer.
The flaw in Linux-based networks
Experts say that the ransomware has probably found a lurking vulnerability in Linux due to which it has been possible to affect networks running on Linux so easily.
In NAYANA’s case, it is hypothesized that since the company’s networks were running on an older version of Linux – Linux 220.127.116.11, it is likely that the ransomware leveraged upon the DIRTY COW flaw to gain root access to the system.
This in combination with vulnerabilities found in older versions of Apache and PHP, which NAYANA happens to have been using, provides some clue as to how the virus got in.