Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bitcoin Businesses Privacy Security The Almighty Buck

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com) 100

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

This discussion has been archived. No new comments can be posted.

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand

Comments Filter:
  • by HumanWiki ( 4493803 ) on Tuesday June 20, 2017 @03:08PM (#54656159)

    So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..

    Nevermind....

  • While this is new from the concept of internet transfer, the same kind of story happened every for debt payment regarding drugs or gambling. Don't start blame Bitcoin on that... bad guys just use the best technology around as usual.
  • What, you thought it was the Chinese?

    Lol.

  • "You know... (Score:5, Insightful)

    by cirby ( 2599 ) on Tuesday June 20, 2017 @03:10PM (#54656177)

    "It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?

  • Once again (Score:4, Insightful)

    by mfh ( 56 ) on Tuesday June 20, 2017 @03:15PM (#54656209) Homepage Journal

    A Trend Micro analysis of the Nayana systems reveals endemic problems. It is no surprise that the hosting provider fell victim to this infection.

    Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?

    IT Guy: "We need to upgrade our servers."

    Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"

    IT Guy: {{okay.png}}

    The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

    Oh wait. Maybe it was an inside job?

    The gnuplot thickens!

    • by s1d3track3D ( 1504503 ) on Tuesday June 20, 2017 @03:33PM (#54656335)

      Oh wait. Maybe it was an inside job?

      NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.

      With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?

    • by Mashiki ( 184564 )

      Oh wait. Maybe it was an inside job?

      This is my guess...or it was someone who managed to talk themselves in through the door. That's one's becoming quite popular too, all you need is someone that's a good bullshitter to pull it off. Remember that bank job(Bangladesh) a year or so back? That one has a lot of inside job markers to it too.

    • by Tablizer ( 95088 )

      Once again, a company is managed by sales guys not tech guys.

      Investors may know and accept the trade-offs. Slimy salesy companies often can and do grow big and make investors wealthy.

      I don't know what percent of investors are that way, but there are sufficient numbers to keep plenty of slimers afloat. Big investors can spread the risk so that no one slimer flame-out ruins their aggregate portfolio. They are playing the averages.

    • The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

      Oh wait. Maybe it was an inside job?

      No, it just means that more than one exploit had to be used: a remote exploit to get any code running on the machine and a local exploit to get root privileges. With a system that hasn't been updated in almost a decade, there would be plenty of local exploits to choose from though.

  • by Anonymous Coward

    The take-away line for me was at the end where it mentions the affected machines are 153 Linux servers that got encrypted. Linux. Let that sink in. Unless these were VM's running on a Windows hosting base, Linuxland has a large threat to face.

    • I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing. Again, this was an attack on systems that were not updated properly. If known vulnerabilities are out there and you are not updating your system. The OS developer has done their job and patched the security hole. You have not done your job in updating your systems. There is no excuse for a web hosting company not updating systems when they have huge amounts of public facing IP addresses.
    • Actually, my hunch would be these were Linux file servers. And an infected Windows machine with root-level access to the file shares on these servers encrypted everything. This is the reason we keep telling people that you need an offline backup. Ransomware will simply encrypt an always-online backup along with the computer's files.
    • Adjust your takeaway... At first I was surprised too, but then discovered it seems their servers had not been updated in something like 9 years! That has little to do with being Linux and a lot to do with zero maintenance.

  • by Dan1701 ( 1563427 ) on Tuesday June 20, 2017 @03:31PM (#54656309)

    If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:

    1) You are stupid enough to pay ransoms.
    2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
    3) You have the money to pay these ransoms.

    In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.

    These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.

    This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.

    • by itamihn ( 1213328 ) on Tuesday June 20, 2017 @03:38PM (#54656355) Homepage

      Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.

      • by Mashiki ( 184564 )

        Yes in many countries. But it wouldn't surprise me to hear that the police are involved in some way in order to try and find out who is trying to blackmail them. That does happen from time to time, and they use big media blitz's like this to try and flush people out.

        • by F.Ultra ( 1673484 ) on Tuesday June 20, 2017 @05:14PM (#54657011)
          Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.
          • Re: (Score:3, Informative)

            by Anonymous Coward

            Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

            Here's one; Canada.

            http://nationalpost.com/news/c... [nationalpost.com]

            • Seams to be only because it's about teh terrorists (which of course still makes your claim valid)
          • by AmiMoJo ( 196126 )

            It's illegal in the UK if you know or could reasonably expect the funds will go towards terrorism. Basic criminals though, you can pay them.

            • Of course both UK and US would go completely bananas when it comes to terrorists, don't know why I didn't see that one coming.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Also, they just armed a criminal group with enough money to fund their next attack. Thanks for nothing.

    • OR, the negotiations were just to buy investigators more time to setup a sting and the entire payment is bait. Like when a bank gives robbers money but hides a dye-pack in the sack.
  • by mnemotronic ( 586021 ) <mnemotronic@@@gmail...com> on Tuesday June 20, 2017 @03:54PM (#54656479) Homepage Journal
    If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it? So :
    1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
    2. Didn't any of the customers notice their data disappearing?
    3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?
    • I'm not a ransomware author, but if I were I'd filter the I/O requests such that as I encrypted files, I would decrypt them on the fly as they were demanded until I was finished. Then I would possibly continue until my peers were also finished, and then probably raise the demand.

      I would be a little surprised (and sort of oddly disappointed) if this isn't how this class of ransomware works. Doing this is not rocket surgery.
  • ... probably would've cost them more.
    Then, lost customers.

    Well played, ransomers, well played

  • charge them for conspiring with and funding criminals
    • That would just make matters worse. If you criminalize the victims you just make them less likely to involve the police and the criminals can operate far easier without risking getting caught (if no one files any charges then no one will be chasing them and the victims want's their data back).
      • Great, thats a second conspiracy charge.
        • Which opens you up for endless blackmail. #1 install ransomware. #2 collect ransom-money. #3 blackmail victim that you will tell the authorities that they did pay your ransom. #4 profit for ever.
  • pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

    Any company stupid enough that they have to pay ransom in the hope of getting their data back (there's a good chance they won't) deserve to go broke. BACKUPS. CONTINGENCY PLANS. Yeah it takes time and money but it's a lot fucking cheaper than sending random criminals millions of dollars and then listening to the sound of them laughing at you when they simply disappear with the money.

    • From TFA they installed the servers 8 years ago and have not applied a single patch since. I would say that they already proved to be stupid there and then.
  • What, they had no DR strategy? This type of incident is just what DR is for. Your data is a smoking hole in the ground. Now, rebuild. You have 24 hours.

  • Headline should say, "Company would rather pay million dollar ransom than pay for competent help"

    Who cares? Why is this is on Slashdot? We all already know. The situation is predictable and happens all the time. Water is wet, news at 11.

  • So how do you pay $1M (or any amount) of bitcoin to a the ransomware owners without getting some sort of guarantee from them that they will actually deliver the decrypt key? You just send the transaction and hope they hold up their end of the bargain?

    If they were in communication with the bad guys, that means there is some communication trail back to them. I can't see savvy malware people exposing themselves that way.

  • The ransomware writers allowed them to pay the rest later, so they had to tell the ransomware to postpone the deletion of files.
  • Word needs te get out, that secret service organizations have started to see this behavior of criminals as a threat to national security / national interests.

    When MI5 / CIA / FSB people start making people wake up with their testicles in a glass on the nightstand, the willingness of talented hackers to go for the "easy" money will decrease. Till then, every talented guy living in a shithole in eastern Uzbekistan will see this method as a way out of his shitty live.

  • They would have been safe! because you know, Linux!

    And who cares if a windows server got infected because it was never patched - still all windows fault!

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...