The attack occurred on June 10, 2017, and on June 12, 2017, the company announced the attack. On June 14, 2017 the web hosting company was eventually able to negotiate down to the ransom to 397.6 BTC, nearly $1.01 million, to be paid in three installments, according to a June 19 blog post.
The threat actors used the Erebus ransomware to infect 153 Linux servers and 3,400 businesses sites hosted by NAYANA and as of June 19, 2017, two of the three payments have already been made. The final payment is expected to be made one the first and second batches of servers have been successfully recovered.
A local exploit may have been used in the attack though it is unclear exactly what exploits were used to infect the system as there isn’t a clear understanding of what vulnerabilities are in the systems.
Researchers said it’s worth noting the ransomware is limited in terms of coverage and is heavily concentrated in South Korea. Other samples however, have been submitted from security researchers in Ukraine and Romania.
Erebus was first spotted in a spate of malvertising attacks in September 2016 and then reemerged in February 2017 using a method to bypass Windows’ User Account Control. The recent Linux variant was similar to the updated variant discovered in February 2017, with OS-specific changes in the way it gains access to the system, Trend Micro Director of Hybrid Cloud Security Steve Neville told SC Media.
“The Windows version leveraged a strategy of bypassing the User Access Controls (UAC) to gain elevated privilege in order to execute,” Neville said. “The Linux version leverages a similar mechanism in Linux, but also adds a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted.”
Researchers warn to always make sure all of their systems are patched and up to date to prevent infection as well as the backing up of critical files.