Company from South Korea pays ransom to get data back

Hackers Take Control of Coinhive’s DNS and Steal their Hashes

A web hosting company based in South Korea has had a ransomware crisis, and during it, over 3,500 of their customers were affected. In order to try and solve this problem, they decided to pay their extortionist. And the price was high, for they demanded over $1 million in bitcoin.

Nayana, which is a web hosting company from South Korea, has decided to make the largest payout ever known. In order to stop the ransomware attack, they paid a price of 397.6 BTC, which is around USD $1.05 million at the time.

The ransomware by the name of Erebus held hostage data belonging to 3,400 customers, mostly small businesses. Over 150 Linux servers got infected with this ransomware, and Trend Micro says that more than 430 file types can be its target. This includes archives, databases, documents, multimedia files, and more.

It was also revealed that this ransomware was set specifically for encrypting web servers and getting to their data.

Nayana first revealed the ransom note on June 12. According to their notice, Erebus ransomware has infected the servers and those who controlled it wanted 550 bitcoins in order to return the files. At the time, this was over $1.6 million.

The note from extortionist was written in pretty bad English, and it basically says that the company needs to pay around 550 BTC to get their files back. They did some calculations to show that they are familiar with company’s expenses and continued to demand payout. Threats about lawsuits and ruined business hanged above company’s head, and on June 14, the revealed that the hackers are willing to negotiate with their CEO.

Hwang Chil-hong, the CEO of the company, has later admitted that he managed to reduce the price to 397.6 BTC and that this price will be paid in three installments. So far, he kept his word, and two of them were already paid.

As for the ransomware itself, it is believed by Trend Micro that it managed to infect the company’s systems because they are heavily outdated. Allegedly, they use a Linux kernel from 2008, and even PHP and Apache from 2006.

Also, this ransomware is only known to attack in South Korea, according to researchers. There was another update from Nayana, and this one was from June 20. In it, the company stated that they are running a decryption program in an attempt to recover the lost files.

The program that runs currently is expected to be done in 2-5 days. Other servers may take even longer, and in those cases, the decryption may last for more than 10 days. And as for third payment, it is expected to be made today, on Wednesday.