An Erebus ransomware attack hit a web hosting company, infecting thousands of South Korean sites. The ransom demand is ridiculously high. Credit: Thinkstock Nayana, a web hosting company in South Korea, suffered a ransomware attack over the weekend which resulted in more than a hundred Linux servers and thousands of websites being infected with Erebus ransomware. The initial ransom amount was astronomically high.Yesterday, I came across the news that a South Korean web hosting company had been infected by ransomware, but it was extremely short on details. The ransomware was Erebus; the attack occurred on Saturday and thousands of sites were reportedly infected.Today, Aju Business Daily provided more details. Nayana reportedly said 153 of its Linux servers were infected with Erebus. In turn, about 3,400 sites on the web hosting company’s servers were also infected.Back in February, Bleeping Computer’s Lawrence Abrams wrote about Erebus. The ransomware uses a User Account Control (UAC) bypass method to run at higher privileges without alerting the user. The malware abuses Event Viewer, which runs at elevated privileges, so it will launch Erebus with the same privileges. This technique allows the UAC bypass; users will not be prompted to allow the program to run at higher privileges. Erebus copies itself to a random named file and modifies Window registry to hijack the association for the .msc file extension so that Eerbus will execute instead.Once the 60 types of targeted file extensions are encrypted by Erebus, a ransom note appears on the desktop. If victims click to recover their files, they end up on the Erebus’ Tor payment site. One of the other notable features about Erebus, Abrams explained, was that Erebus demanded a relatively small ransom of about $90 (.085 bitcoins). That is no longer the case, at least not in the South Korean Erebus ransomware attack. Aju Business Daily reported that the ransom amount for this round of Erebus was 10 bitcoins, which was roughly $29,075 at the time of the attack; that’s about 32.7 million won.The article doesn’t explain why, but apparently the hackers had a change of heart and lowered the ransom to 5.4 bitcoins. That’s still not a tiny ransom as at the time of publishing 5.4 bitcoins was equal to $15,165.Aju Business Daily added, “The Korea Internet and Security Agency, a state security body, and police have launched an investigation, the company said, vowing to regain control of infected servers with the help of state experts.”A notice is still posted on the homepage of the web hosting company, but with a little help from the Wayback Machine, we can see Nayana’s original message to customers. Using Google translate, Erebus locked up databases, images and video. Nayana is sorry for the inconvenience. The Korea National Internet Development Agency (KISA) and other authorities are investigating.If we jump back to the current timeline, there is now a different message posted on the homepage of Nayana. It is the fourth notice of system failure due to Erebus encrypting data. All Nayana employees are responding to affected customers and trying to restore backup files provided by customers. The homepage affected by the ransomware was moved to a parked page. It also says the company is negotiating with the hackers.As for the current note on the homepage, surely something was lost in translation as the bottom portion of the note is in English. Perhaps it was written like this just to throw investigators off track. It appears to be part of the negotiation with the attackers, what the attackers had to say about the ransom. If that is true, then the ransom amount seems to have changed numerous times. The portion in English states:My boss tell me, your buy many machine, give you a good price 550 BTC If you do not have enough money, you need to make a loanYou company have 40+ employees, every employees’s annual salary $30,000 all employees 30,000 * 40 = $ 1,200,000 all server 550BTC = $ 1,620,000If you can’t pay that, you should go bankrupt. But you need to face your childs, wife, customers and employees. Also, you will lose your reputation, business. You will get many more lawsuits.Back in February, Abrams said there was no way to decrypt Erebus encrypted files for free.Nayana promised to keep customers alerted to current state of the situation. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe