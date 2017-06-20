South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com) 37
An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.
Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.
On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.
WTF --- So, no backups, at all? (Score:1)
So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..
Backing up User VMs is trivial. So is a snapshot system. Most all the major hypervisor makers have this built in and there are also plenty of free ware things to do this as well..
You can run Hyper-V, with free Veeam and with some scheduled task stuff from Task Scheduler or a Jenkins systems, you can kick of Powershell code that will automagically find all your VMs, even in a non-clustered pool (so long as you registered the hosts in Veeam free), and then back them all up as full sets, with compression and/o
North Korea thanks you for your payment (Score:1)
What, you thought it was the Chinese?
"You know... (Score:3, Funny)
"It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?
Once again (Score:2)
Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?
IT Guy: "We need to upgrade our servers."
Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"
IT Guy: {{okay.png}}
Oh wait. Maybe it was an inside job?
NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.
With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?
Oh wait. Maybe it was an inside job?
This is my guess...or it was someone who managed to talk themselves in through the door. That's one's becoming quite popular too, all you need is someone that's a good bullshitter to pull it off. Remember that bank job(Bangladesh) a year or so back? That one has a lot of inside job markers to it too.
"153 Linux servers" ... uh-oh (Score:1)
The take-away line for me was at the end where it mentions the affected machines are 153 Linux servers that got encrypted. Linux. Let that sink in. Unless these were VM's running on a Windows hosting base, Linuxland has a large threat to face.
Trouble is, as soon as you had something like that, it would end up used for fraudulent transactions during normal purchases. I could buy a $800 phone from you, wait until I get the phone, then the bitcoins I paid you with disappear.
Well look who just went out of business! (Score:4, Funny)
If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:
1) You are stupid enough to pay ransoms.
2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
3) You have the money to pay these ransoms.
In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.
These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.
This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.
Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.
Yes in many countries. But it wouldn't surprise me to hear that the police are involved in some way in order to try and find out who is trying to blackmail them. That does happen from time to time, and they use big media blitz's like this to try and flush people out.
10 days? (Score:2)
1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
2. Didn't any of the customers notice their data disappearing?
3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it
The lawsuits ... (Score:1)
... probably would've cost them more.
Then, lost customers.
Well played, ransomers, well played
