South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

WTF --- So, no backups, at all?

[HumanWiki]

So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..

Nevermind....

Re:WTF --- So, no backups, at all?

[HumanWiki]

Backing up User VMs is trivial. So is a snapshot system. Most all the major hypervisor makers have this built in and there are also plenty of free ware things to do this as well..

You can run Hyper-V, with free Veeam and with some scheduled task stuff from Task Scheduler or a Jenkins systems, you can kick of Powershell code that will automagically find all your VMs, even in a non-clustered pool (so long as you registered the hosts in Veeam free), and then back them all up as full sets, with compression and/or encryption to a NAS device of some sort.

Restoring is also easily done AND you can restore the whole machine as it was at the stun/snap, registered, powered on and everything, restore just the VM filesets to manually register and start or you can do varying levels of OS level file restore for just those files that got mucked up.

This stuff is pretty easy to do and low cost.

Re:WTF --- So, no backups, at all?

[Dunbal]

Storing thousands (if not many many more) of VM backups for customers for free is "low cost"?

If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything. Well you could be nice and take snapshots once a week or something and if users complain you point to the appropriate clause in the contract. There is NO excuse. None. You're trying to justify idiocy. Don't. It just makes you look bad too.

Re:

[AmiMoJo]

If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

Yeah.... When it emerges that you were running a kernel from 2008 and Apache/PHP from 2006, as TFA says they were, if you want your business to survive you had better make some effort to atone for your gross incompetence. In the current market place there are plenty of similarly priced hosting providers who also offer software from this decade.

Re:

[strikethree]

If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

Hm... kind of. Any business contract that allowed the company to fail in providing services to the customers with no penalties would be a rather odd thing. Meaning, yeah, the customer likely could not sue for loss of data, but it was the hosting company servers that were compromised, not the customers servers (of course customer servers were affected because they ride on top of company servers, but that is not the point).

Long story short, yeah, the hosting company will not likely be held liable for the loss

Re:

[Bert64]

Depends what kind of service the customers bought and how much they paid for it..
Unless the hosting provider guaranteed uptime or offered backups as part of the service, they can just say "catastrophic data loss, heres a new blank vm" and that's it. No different to if the building burned down or whatever.

Also, perhaps they were doing backups, but did so to an online target that also got hit by the ransomware? It's not uncommon for backups to be performed to online storage like this, as people usually think

Re:

[Anonymous Coward]

That is too true.

My old company I used to work for would not listen to me the IT manager, as the IT Director (Who was known as Can't Understand New Technology) inisted we only need one backup tape to backup the company data and insisted we kept the tape in his office. Needless to say I had all the memo's to backup (no pun) my position on this and many other matters. Well we had a fire, the tape got burnt and the servers were also fried and bang NO DATA, the company quickly sacked the IT manager with a 2 fin

Re:

[Anonymous Coward]

I do not know how many times I have heard a DBA or System Admin claim that they had sound backups... because legato (etc...) server said they did, only to find out that they had no usable backup tapes when something bad did happen and they had to recover.

There is a significant cost to testing the recovery of backups and many companies do not test to make certain that the backups they are running have any value at all

Re: WTF --- So, no backups, at all?

[corychristison]

Object storage has made proper archival backups for my company a little more manageable and more affordable.

Each server creates incremental backups of the necessary data every 8 hours (os config files, selective filesystem data, database dumps, etc).

From there the backup files are replicated into our backup cluster. The backup cluster then encrypts and replicates it all into both OVH's object storage [ovh.com] and Backblaze's B2 object storage [backblaze.com]. The cluster only keeps the most recent 7 days on hand.

In object storage,

Same kind of story happend every using cash

[JcMorin]

While this is new from the concept of internet transfer, the same kind of story happened every for debt payment regarding drugs or gambling. Don't start blame Bitcoin on that... bad guys just use the best technology around as usual.

North Korea thanks you for your payment

[WillAffleckUW]

What, you thought it was the Chinese?

Lol.

"You know...

[cirby]

"It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?

Re:

[Anonymous Coward]

Or if Nayana had just put some get-out-of-responsibility-free clause in their user contracts

Re: Always

[mnemotronic]

Evgeniy! How ya doin' you old cyberwanker you? You never call anymore. Come by for espresso some day. We'll talk.

Re:

[Anonymous Coward]

For one reason, it would be quite difficult to know exactly where these people are based, let alone that there's one-one else near by.

Re:

[omnichad]

Globally?

Re:

[Anonymous Coward]

Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption? Or maybe even cheaper solution is to shell out $50K to trace the Tor logs and pinpoint the servers of this Erebus ransomware.

Re:

[mike.mondy]

Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption?

They say ten days to decrypt? I imagine the encryption took multiple days too. They should have had a good chance at finding a machine where it was still running.

The most recent linux ransomware I've seen was the so-called "motd virus" that used a simplistic python script to do AES-128 encryption with a 512 bit key. That's symmetric. With it running for days as an ordinary process, you can probably spot it and get a core image. It would only take a fraction of a day to try every set of contiguous

Re:

[Sperbels]

Yes, but the satisfaction gained expending a missile for this purpose makes it worthwhile.

Re:

[F.Ultra]

Well, you now have an idea for a new Kickstarter!

Once again

[mfh]

A Trend Micro analysis of the Nayana systems reveals endemic problems. It is no surprise that the hosting provider fell victim to this infection.

Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?

IT Guy: "We need to upgrade our servers."

Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"

IT Guy: {{okay.png}}

The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

Oh wait. Maybe it was an inside job?

The gnuplot thickens!

Re:Once again

[s1d3track3D]

Oh wait. Maybe it was an inside job?

NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.

With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?

Re:

[omnichad]

If everyone's inside, then it's an inside job!

Re:

[Mashiki]

Oh wait. Maybe it was an inside job?

This is my guess...or it was someone who managed to talk themselves in through the door. That's one's becoming quite popular too, all you need is someone that's a good bullshitter to pull it off. Remember that bank job(Bangladesh) a year or so back? That one has a lot of inside job markers to it too.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tablizer]

Once again, a company is managed by sales guys not tech guys.

Investors may know and accept the trade-offs. Slimy salesy companies often can and do grow big and make investors wealthy.

I don't know what percent of investors are that way, but there are sufficient numbers to keep plenty of slimers afloat. Big investors can spread the risk so that no one slimer flame-out ruins their aggregate portfolio. They are playing the averages.

Re:

[MtHuurne]

The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

Oh wait. Maybe it was an inside job?

No, it just means that more than one exploit had to be used: a remote exploit to get any code running on the machine and a local exploit to get root privileges. With a system that hasn't been updated in almost a decade, there would be plenty of local exploits to choose from though.

"153 Linux servers" ... uh-oh

[Anonymous Coward]

The take-away line for me was at the end where it mentions the affected machines are 153 Linux servers that got encrypted. Linux. Let that sink in. Unless these were VM's running on a Windows hosting base, Linuxland has a large threat to face.

Re:

[sqorbit]

I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing. Again, this was an attack on systems that were not updated properly. If known vulnerabilities are out there and you are not updating your system. The OS developer has done their job and patched the security hole. You have not done your job in updating your systems. There is no excuse for a web hosting company not updating systems when they have huge amounts of public facing IP addresses.

Re:

[Solandri]

Actually, my hunch would be these were Linux file servers. And an infected Windows machine with root-level access to the file shares on these servers encrypted everything. This is the reason we keep telling people that you need an offline backup. Ransomware will simply encrypt an always-online backup along with the computer's files.

Re:

[markdavis]

Adjust your takeaway... At first I was surprised too, but then discovered it seems their servers had not been updated in something like 9 years! That has little to do with being Linux and a lot to do with zero maintenance.

Re:

[Anonymous Coward]

Trouble is, as soon as you had something like that, it would end up used for fraudulent transactions during normal purchases. I could buy a $800 phone from you, wait until I get the phone, then the bitcoins I paid you with disappear.

Re:

[avandesande]

every transaction is here https://blockchain.info/ [blockchain.info]

Re:

[david_thornley]

You can trace bitcoins from wallet to wallet. Figuring out who the wallets belong to is more of a problem, particularly if they're in another country.

Well look who just went out of business!

[Dan1701]

If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:

1) You are stupid enough to pay ransoms.
2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
3) You have the money to pay these ransoms.

In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.

These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.

This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.

Re:Well look who just went out of business!

[itamihn]

Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.

Re:

[Mashiki]

Yes in many countries. But it wouldn't surprise me to hear that the police are involved in some way in order to try and find out who is trying to blackmail them. That does happen from time to time, and they use big media blitz's like this to try and flush people out.

Re:Well look who just went out of business!

[F.Ultra]

Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

Re:

[Anonymous Coward]

Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

Here's one; Canada.

http://nationalpost.com/news/c... [nationalpost.com]

Re:

[F.Ultra]

Seams to be only because it's about teh terrorists (which of course still makes your claim valid)

Re:

[AmiMoJo]

It's illegal in the UK if you know or could reasonably expect the funds will go towards terrorism. Basic criminals though, you can pay them.

Re:

[F.Ultra]

Of course both UK and US would go completely bananas when it comes to terrorists, don't know why I didn't see that one coming.

Re:

[F.Ultra]

For one it would make the muggers jobs easier since the victims would incriminate themselves if they reported the crime so basically home run for the muggers!

Re:

[Bert64]

You don't "give" your wallet to a mugger, the mugger takes it from you forcibly. Even if you physically hand it over, you have done so under duress during the act of being mugged.

Re:

[david_thornley]

Muggers don't have to take it by force, if they've got a good enough threat. In this case, the hosting company was in really deep doo-doo if they couldn't get their files back, so that looks a lot like duress to me.

Re:

[Anonymous Coward]

Also, they just armed a criminal group with enough money to fund their next attack. Thanks for nothing.

Re:

[PoopJuggler]

OR, the negotiations were just to buy investigators more time to setup a sting and the entire payment is bait. Like when a bank gives robbers money but hides a dye-pack in the sack.

Re: Well look who just went out of business!

[Anonymous Coward]

It's okay, the dye pack is digital.

Re:

[PoopJuggler]

Bitcoin is not as anonymous as you might think.

Re:

[religionofpeas]

It's perfectly anonymous to receive the coins in a fresh address. Spending them is a bit trickier, but if you're not in a hurry, you can do that a few years later, maybe from a open WiFi network somewhere in a parking lot during vacation abroad.

10 days?

[mnemotronic]

If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it? So :
1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
2. Didn't any of the customers notice their data disappearing?
3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?

Re:

[chuckugly]

I'm not a ransomware author, but if I were I'd filter the I/O requests such that as I encrypted files, I would decrypt them on the fly as they were demanded until I was finished. Then I would possibly continue until my peers were also finished, and then probably raise the demand.

I would be a little surprised (and sort of oddly disappointed) if this isn't how this class of ransomware works. Doing this is not rocket surgery.

The lawsuits ...

[dasgoober]

... probably would've cost them more.
Then, lost customers.

Well played, ransomers, well played

end this

[Ryanrule]

charge them for conspiring with and funding criminals

Re:

[F.Ultra]

That would just make matters worse. If you criminalize the victims you just make them less likely to involve the police and the criminals can operate far easier without risking getting caught (if no one files any charges then no one will be chasing them and the victims want's their data back).

Re:

[Ryanrule]

Great, thats a second conspiracy charge.

Re:

[F.Ultra]

Which opens you up for endless blackmail. #1 install ransomware. #2 collect ransom-money. #3 blackmail victim that you will tell the authorities that they did pay your ransom. #4 profit for ever.

Re:Banks are the major clients of Nayana it seems

[Dunbal]

So here's a funny story. Your database gets encrypted. You don't have a backup so you pay a ransom. IF the bad guy is nice, you get a key to decrypt your database again. Since you don't have any sort of backup to compare it to.... how the fuck do you know they haven't inserted/deleted/modified anything in there as well? You don't until things start happening. Even better, the bad guys know that you don't, because you were dumb enough to tell them by paying the ransom. Welcome to phase 2 of your security nightmare. You are now their bitch.

Re:

[zlives]

our faith at FaithfUl baCK UPs is that criminals are not that mean.

Re:

[Bert64]

If they want to backdoor your database, they had the access to do so without drawing attention to their presence by demanding a ransom...

Re:

[Dunbal]

they had the access to do so without drawing attention to their presence by demanding a ransom...

That doesn't put money in your pocket like a ransom does.

Seriously

[Dunbal]

pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

Any company stupid enough that they have to pay ransom in the hope of getting their data back (there's a good chance they won't) deserve to go broke. BACKUPS. CONTINGENCY PLANS. Yeah it takes time and money but it's a lot fucking cheaper than sending random criminals millions of dollars and then listening to the sound of them laughing at you when they simply disappear with the money.

Re:

[F.Ultra]

From TFA they installed the servers 8 years ago and have not applied a single patch since. I would say that they already proved to be stupid there and then.

This is what DR is for

[roc97007]

What, they had no DR strategy? This type of incident is just what DR is for. Your data is a smoking hole in the ground. Now, rebuild. You have 24 hours.

Bad headline

[strikethree]

Headline should say, "Company would rather pay million dollar ransom than pay for competent help"

Who cares? Why is this is on Slashdot? We all already know. The situation is predictable and happens all the time. Water is wet, news at 11.

Guarantee?

[AlanObject]

So how do you pay $1M (or any amount) of bitcoin to a the ransomware owners without getting some sort of guarantee from them that they will actually deliver the decrypt key? You just send the transaction and hope they hold up their end of the bargain?

If they were in communication with the bad guys, that means there is some communication trail back to them. I can't see savvy malware people exposing themselves that way.

So there is a switch to delay deletion

[ayesnymous]

The ransomware writers allowed them to pay the rest later, so they had to tell the ransomware to postpone the deletion of files.

This problem is not going to go away unless....

[dr.Flake]

Word needs te get out, that secret service organizations have started to see this behavior of criminals as a threat to national security / national interests.

When MI5 / CIA / FSB people start making people wake up with their testicles in a glass on the nightstand, the willingness of talented hackers to go for the "easy" money will decrease. Till then, every talented guy living in a shithole in eastern Uzbekistan will see this method as a way out of his shitty live.

If only they had been running Linux

[blackpaw]

They would have been safe! because you know, Linux!

And who cares if a windows server got infected because it was never patched - still all windows fault!