Most security experts agree that paying a ransomware demand isn’t a good idea. There are often tools available that can decrypt the malware, and even if you do hand over the Bitcoins, it’s no guarantee that the hackers will give you a decryption key, or that they won’t come back and hit your system again. Sometimes, however, paying a ransom is the only choice.
According to a blog post published last week, giving in to ransomware demands was the only option for South Korean Web host company Nayana. It had been infected with malware that encrypted data stored on 153 Linux severs and 3400 of its customers’ websites.
Trend Micro reports that the company was attacked on June 10 by a variant of ransomware known as Erebus, which first emerged in September last year when it was being spread through malicious ads.
Erebus had only targeted computers running Windows, but this version was modified so it could attack Linux systems. How it infected Nayana is unclear, but it’s thought the hackers exploited a vulnerability in the unpatched systems it was using - an old Linux kernel (184.108.40.206) compiled in 2008, along with Apache 1.3.36 and PHP 5.1.4, both of which date from 2006.
The ransom demand was originally 5 billion won worth of Bitcoin, which works out at around $4.4 million. But this was negotiated down to 1.8 billion won, before being further reduced to 1.2 billion won (just over $1 million).
Nayana said it would raise the money by lending shares to a firm that had previously offered to acquire the web hosting company. It is now working with the Korea Internet and Security Agency (KISA) and other “cyber criminal investigators.”
An updated post over the weekend stated that Nayana’s engineers were in the process of recovering the data. Another recovery status announcement is due later today.
For firms that don’t want to hand over a ton of cash, remember to make sure your systems are secure and always keep backups.