The biggest ransomware payment ever discovered
FUD around ransomware suddenly gets real with one business making a single payment of more than $1m...
There have been plenty of warnings over ransomware in the last six months or so, but none predicted just how quickly things have gone sour. An unfortunate watershed has been reached - the largest known ransomware payment has just topped $1.01 million.
In contrast, the highest ransom in 2016 was thought to be MIRCOP ransomware, which demanded $28,730 from victims, and for further contrast consider that the hotly debated WannaCry ransomware that attacked 200,000 computers across 150 countries is thought to have netted less than $150,000. In short, the maximum ransom demand in 2016 compared to 2017 so far represents a 3,415 per cent increase. Never before has the ‘well, that escalated quickly’ meme been more relevant.
The company in question, a South Korean web hosting company called NAYANA, was infected on June 10 by a variant of Erebus. This malware successfully encrypted 153 Linux servers, hosting more than 3,400 business websites. The attackers initially demanded an enormous ransom of 550 Bitcoins (BTC), roughly US$1.62 million, in order to decrypt the affected files. The company negotiated this down to 397.6 BTC (around $1.01 million), and claims to have begun decrypting the servers in batches.
According to an analysis of the attack by TrendMicro, Erebus encrypts 433 file types and is coded mainly for targeting and encrypting web servers and data stored in them. It uses a layered system of encryption, scrambling files first with RC4 encryption in 500kB blocks with randomly generated keys, then encoding the RC4 key with AES, and finally RSA-2048. “Ongoing analysis indicates that decryption is not possible without getting hold of the RSA keys”, according to Trend researchers.
Although the malware unfortunately appears to be well-designed, the same can’t be said of NAYANA’s systems. NAYANA’s website runs on Linux kernel 126.96.36.199, which was compiled back in 2008, and also Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Needless to say, patching and updating these over the last decade or so would be wise - Apache’s latest version is 2.4.26 (released 2017-06-19).
“The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack”, noted the researchers.
Ilia Kolochenko, CEO of High-Tech Bridge commented on the best strategy for defending against ransomware: “first of all, we need to only keep the necessary software on user machines and make sure that all software, not only the OS, is up to date. Client-side security software and various security hardening mechanisms are also very important. Last but not least, continuous security monitoring and anomalies detection systems should be implemented.
“Ransomware is about business, not about technology. All the components for ransomware (e.g. encryption mechanisms, exploit packs, etc) have existed for many years. However, with the ransomware approach, victims have no other simple way to get their data back other than to pay. Reliability and certainty of payment makes ransomware especially attractive for cybercriminals.”
Meanwhile, in spite of the global coverage of the WannaCry ransomware, it has emerged that carmaker Honda halted production at its Sayama vehicle plant, northwest of Tokyo, for an entire day after finding the malware on its network this week. The plant has a daily output of around 1,000 vehicles, making the temporary closure exceedingly expensive for Honda.
Looks like the ransomware story for 2017 has only just begun...