South Korean web hosting firm, Nayana, has set a new record in terms of highest paid ransom demand.
The web host was hit by a ransomware attack on June 10 at 1:30 a.m., encrypting 152 of the company’s Linux servers. All Nayana customers are said to be impacted by the attack that compromised web hosting, hosting databases, and multimedia files.
Trend Micro says the ransomware is the Erebus variant which first appeared in September 2016 through malvertisements, or malicious advertisements. It’s believed that organizations within South Korean are the main target of this campaign.
Nayana reportedly was running several outdated systems carrying known vulnerabilities, providing attackers with an easy route for infection. Nayana claims, “We tried to recover the backed up data. But we found that both the internal backup and the external backup were infected with ransomware and all were encrypted.”
The hackers originally demanded 10 bitcoins per crypto-locked Linux server. Nayana was able to negotiate the asking price down to 5.4 bitcoins per server, worth about $1 million. The payment to the hackers was made in three installments, the last of which was sent just today.
Trend Micro conducted an analysis of the ransomware and found that it employs the RSA algorithm to encrypt AES keys, the files have individual files that have been encrypted using unique AES keys, and the ransomware is designed, like most, to be tough to eliminate. The ransomware uses two persistence mechanisms, including adding a fake Bluetooth service to ensure the ransomware is executed after the systems/server is rebooted and also employs a Unix cron, a utility in Unix-like operating systems that schedules jobs via commands or shell scripts to check hourly if the ransomware is running.
It’s important that your organization takes the necessary steps to defend against a ransomware attack. Ensure that all systems are patched and up-to-date, always back up critical files offline, and apply the ‘principal of least privilege’ when possible.
In addition, every organization should have a hardened Windows build standard, a hardened Linux build standard, a hardened SQL Server/Oracle database build standard, a hardened firewall standard, etc. However, determining what is an appropriate server hardening policy for your environment will require detailed research of hardening checklists and then an understanding of how this should be applied to your operating systems and applications.
All governance, regulatory and compliance standards such as NIST SP 800-53, SOX, NERC CIP, ISO27001, PCI DSS, DISA STIG and HIPAA all call for strong cybersecurity defenses, with a hardened build standard at the core. This is maintained using file integrity monitoring to highlight any significant changes or 'drift'.
Read this article on Data Breach Today