A web hosting company in South Korea has agreed to pay ransomware attackers a whopping $1 million to get access to their files, according to a recent report by The Hacker News.
Ransomware attacks are not uncommon, as we all know from the massive WannaCry attack that affected over 300,000 machines in more than 150 countries. But ransomware hackers typically ask for small amounts of money from a large number of people. If they attack a large company, they tend to ask for tens of thousands of dollars. $1 million is not unheard of, but it’s a significantly large enough sum to deserve some digging into.
The company in question had 153 of its servers hacked, and data for 3,400 business websites were locked down by the attackers. The original ask was $1.6 million in bitcoins, or 550 bitcoins, but the company was able to negotiate that down to 397.6 bitcoins, or about $1.01 million.
NAYANA, the company in question, has reportedly made two payments towards the final amount, and will make the third payment once they recover the files from two-thirds of the affected servers.
Why did the company agree to pay, and that too such a large amount of money?
The answer to that question is obvious: the entire company could have gone down the tubes if they lost data for that many businesses. Notwithstanding legal damages as a result of lost client data, NAYANA will never again be in a position to solicit clients. The most likely outcome would have been a complete shutdown of the business.
That’s why ransomware is such a major threat to businesses all around the world. It’s much, much worse than the threat of data theft. Not that data theft is a better problem to have, but the impact on the business is not usually as extreme as permanently losing all your clients’ data.
Take Yahoo, for example. They’ve been leaking user information for years, and Verizon still agreed to buy them despite the legal fallout. Ransomware is a much uglier scenario.
If you’re a small business owner or the head of the IT department in your company, it’s your problem. And it’s your job to make sure that your business or company isn’t put in that type of situation.
The malware in question is a ransomware program called Erebus, which was first spotted in the wild on Windows systems earlier this year. This time it was used to attack a Linux-based system. Security researches say that, based on the fact that the attacked servers were running on Linux kernel 188.8.131.52, certain known vulnerabilities such as DIRTY COW may have been used to gain root access. Alternatively, a local exploit may have been used.
The other problem here is that NAYANA’s website was on Apache version 1.3.36 and PHP version 5.1.4, which are more than ten years old.
The actual attack was effected in this way:
“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”
In such a scenario, it is mathematically impossible to decrypt the files without the RSA keys. The term RSA is made up of the initials of the last names of the three security researchers that first described the algorithm back in 1978: Ron Rivest, Adi Shamir, and Leonard Adleman. A similar system was developed in 1973 for the British Intelligence agency GCHQ by Clifford Cocks, but it was not declassified until 1997.
The complexity of the algorithm is not the only prohibitive factor in retrieving the data without the keys. This particular attack involved three stages of encryption, which is what makes it mathematically impossible to decrypt without the keys.
The only way to address the problem of ransomware is to make sure you’re always running the latest versions of all installed applications, take regular backups and educate employees not to click on suspicious links or email attachments.
Technology can only do so much in protecting itself. The weak link is usually the human factor, which is why education and security awareness are of the utmost importance.
Otherwise, it could cost you a million dollars.