South Korean web hosting company infected by Erebus ransomware

Nayana, a web hosting company in South Korea, suffered a ransomware attack over the weekend which resulted in more than a hundred Linux servers and thousands of websites being infected with Erebus ransomware. The initial ransom amount was astronomically high.

Yesterday, I came across the news that a South Korean web hosting company had been infected by ransomware, but it was extremely short on details. The ransomware was Erebus; the attack occurred on Saturday and thousands of sites were reportedly infected.

Today, Aju Business Daily provided more details. Nayana reportedly said 153 of its Linux servers were infected with Erebus. In turn, about 3,400 sites on the web hosting company’s servers were also infected.

Back in February, Bleeping Computer’s Lawrence Abrams wrote about Erebus. The ransomware uses a User Account Control (UAC) bypass method to run at higher privileges without alerting the user.

The malware abuses Event Viewer, which runs at elevated privileges, so it will launch Erebus with the same privileges. This technique allows the UAC bypass; users will not be prompted to allow the program to run at higher privileges. Erebus copies itself to a random named file and modifies Window registry to hijack the association for the .msc file extension so that Eerbus will execute instead.

Once the 60 types of targeted file extensions are encrypted by Erebus, a ransom note appears on the desktop. If victims click to recover their files, they end up on the Erebus’ Tor payment site. One of the other notable features about Erebus, Abrams explained, was that Erebus demanded a relatively small ransom of about $90 (.085 bitcoins).

That is no longer the case, at least not in the South Korean Erebus ransomware attack. Aju Business Daily reported that the ransom amount for this round of Erebus was 10 bitcoins, which was roughly $29,075 at the time of the attack; that’s about 32.7 million won.

The article doesn’t explain why, but apparently the hackers had a change of heart and lowered the ransom to 5.4 bitcoins. That’s still not a tiny ransom as at the time of publishing 5.4 bitcoins was equal to $15,165.

Aju Business Daily added, “The Korea Internet and Security Agency, a state security body, and police have launched an investigation, the company said, vowing to regain control of infected servers with the help of state experts.”

A notice is still posted on the homepage of the web hosting company, but with a little help from the Wayback Machine, we can see Nayana’s original message to customers. Using Google translate, Erebus locked up databases, images and video. Nayana is sorry for the inconvenience. The Korea National Internet Development Agency (KISA) and other authorities are investigating.

If we jump back to the current timeline, there is now a different message posted on the homepage of Nayana. It is the fourth notice of system failure due to Erebus encrypting data. All Nayana employees are responding to affected customers and trying to restore backup files provided by customers. The homepage affected by the ransomware was moved to a parked page. It also says the company is negotiating with the hackers.

As for the current note on the homepage, surely something was lost in translation as the bottom portion of the note is in English. Perhaps it was written like this just to throw investigators off track. It appears to be part of the negotiation with the attackers, what the attackers had to say about the ransom. If that is true, then the ransom amount seems to have changed numerous times.

The portion in English states:

My boss tell me, your buy many machine, give you a good price 550 BTC If you do not have enough money, you need to make a loan

You company have 40+ employees, every employees’s annual salary $30,000 all employees 30,000 * 40 = $ 1,200,000 all server 550BTC = $ 1,620,000

If you can’t pay that, you should go bankrupt. But you need to face your childs, wife, customers and employees. Also, you will lose your reputation, business. You will get many more lawsuits.

Back in February, Abrams said there was no way to decrypt Erebus encrypted files for free.

Nayana promised to keep customers alerted to current state of the situation.