Slashdot Mirror

← Back to Stories (view on slashdot.org)

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com)

Posted by msmash on from the folding-up dept.

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

100 comments

  1. WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Insightful

    So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..

    Nevermind....

    1. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 0

      To most organizations, backups are more of an act of faith than anything else

    2. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 0

      also how do you backup user VMs? its almost as though the user should be responsible for backing up their own systems.. but if your entire hosting provider is hacked then thats enough to bogeyman the customers to a new hosting provider.

      lather, rinse, repeat

    3. Re:WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Informative

      Backing up User VMs is trivial. So is a snapshot system. Most all the major hypervisor makers have this built in and there are also plenty of free ware things to do this as well..

      You can run Hyper-V, with free Veeam and with some scheduled task stuff from Task Scheduler or a Jenkins systems, you can kick of Powershell code that will automagically find all your VMs, even in a non-clustered pool (so long as you registered the hosts in Veeam free), and then back them all up as full sets, with compression and/or encryption to a NAS device of some sort.

      Restoring is also easily done AND you can restore the whole machine as it was at the stun/snap, registered, powered on and everything, restore just the VM filesets to manually register and start or you can do varying levels of OS level file restore for just those files that got mucked up.

      This stuff is pretty easy to do and low cost.

    4. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 3, Interesting

      That is too true.

      My old company I used to work for would not listen to me the IT manager, as the IT Director (Who was known as Can't Understand New Technology) inisted we only need one backup tape to backup the company data and insisted we kept the tape in his office. Needless to say I had all the memo's to backup (no pun) my position on this and many other matters. Well we had a fire, the tape got burnt and the servers were also fried and bang NO DATA, the company quickly sacked the IT manager with a 2 finger payoff.

    5. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 0

      Storing thousands (if not many many more) of VM backups for customers for free is "low cost"?

      Run customer systems at scale, in the real world like that and let us know how it works out for you. They're trying to avoid going under from 3400 customers suing them. They'll be lucky if they keep any of them.

    6. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 2, Insightful

      I do not know how many times I have heard a DBA or System Admin claim that they had sound backups... because legato (etc...) server said they did, only to find out that they had no usable backup tapes when something bad did happen and they had to recover.

      There is a significant cost to testing the recovery of backups and many companies do not test to make certain that the backups they are running have any value at all

    7. Re:WTF --- So, no backups, at all? by Dunbal · · Score: 3, Informative

      Storing thousands (if not many many more) of VM backups for customers for free is "low cost"?

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything. Well you could be nice and take snapshots once a week or something and if users complain you point to the appropriate clause in the contract. There is NO excuse. None. You're trying to justify idiocy. Don't. It just makes you look bad too.

      --
      Seven puppies were harmed during the making of this post.
    8. Re:WTF --- So, no backups, at all? by Bert64 · · Score: 1

      Depends what kind of service the customers bought and how much they paid for it..
      Unless the hosting provider guaranteed uptime or offered backups as part of the service, they can just say "catastrophic data loss, heres a new blank vm" and that's it. No different to if the building burned down or whatever.

      Also, perhaps they were doing backups, but did so to an online target that also got hit by the ransomware? It's not uncommon for backups to be performed to online storage like this, as people usually think of backups as a way to mitigate hardware failure and don't plan for things like intentional destruction of data.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re: WTF --- So, no backups, at all? by corychristison · · Score: 1

      Object storage has made proper archival backups for my company a little more manageable and more affordable.

      Each server creates incremental backups of the necessary data every 8 hours (os config files, selective filesystem data, database dumps, etc).

      From there the backup files are replicated into our backup cluster. The backup cluster then encrypts and replicates it all into both OVH's object storage and Backblaze's B2 object storage. The cluster only keeps the most recent 7 days on hand.

      In object storage, we keep 6 weeks or so. Total cost for ~28TB is only about $300/mo between the two copies.

    10. Re:WTF --- So, no backups, at all? by AmiMoJo · · Score: 1

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

      Yeah.... When it emerges that you were running a kernel from 2008 and Apache/PHP from 2006, as TFA says they were, if you want your business to survive you had better make some effort to atone for your gross incompetence. In the current market place there are plenty of similarly priced hosting providers who also offer software from this decade.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:WTF --- So, no backups, at all? by strikethree · · Score: 1

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

      Hm... kind of. Any business contract that allowed the company to fail in providing services to the customers with no penalties would be a rather odd thing. Meaning, yeah, the customer likely could not sue for loss of data, but it was the hosting company servers that were compromised, not the customers servers (of course customer servers were affected because they ride on top of company servers, but that is not the point).

      Long story short, yeah, the hosting company will not likely be held liable for the loss of customer data but the hosting company can and will be held liable for the extended loss of service, which means they should have had backups, which is how this conversation was started. Proper backups would have allowed them to restore business operations within a much shorter time frame... and possibly garnered some good will from their customers if customer data had been backed up as well.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  2. Same kind of story happend every using cash by JcMorin · · Score: 1

    While this is new from the concept of internet transfer, the same kind of story happened every for debt payment regarding drugs or gambling. Don't start blame Bitcoin on that... bad guys just use the best technology around as usual.

  3. North Korea thanks you for your payment by WillAffleckUW · · Score: 1

    What, you thought it was the Chinese?

    Lol.

    --
    -- Tigger warning: This post may contain tiggers! --
  4. "You know... by cirby · · Score: 5, Insightful

    "It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?

    1. Re:"You know... by Anonymous Coward · · Score: 0

      Even cheaper if only competent IT staff were hired by Nayana too.

    2. Re:"You know... by Anonymous Coward · · Score: 1

      Or if Nayana had just put some get-out-of-responsibility-free clause in their user contracts

    3. Re:"You know... by Anonymous Coward · · Score: 0

      That's basically the plot to Neal Stephenson's book REAMDE.

  5. Always by Anonymous Coward · · Score: 0

    Always pay the ransom folks.

    1. Re: Always by mnemotronic · · Score: 0

      Evgeniy! How ya doin' you old cyberwanker you? You never call anymore. Come by for espresso some day. We'll talk.

      --
      The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  6. Is there any reason why? by Anonymous Coward · · Score: 0

    Is there any reason why the actual ransomware payment shouldn't be a couple of tomahawk cruise missiles fired on the location of the attackers? These criminals are the scum of the Earth, so why shouldn't governments be taking them out when they get the chance? While businesses and individuals should keep backups to protect against hardware failures, these criminals are leaches on society and serve no useful purpose. Even if you have backups, these ransomware infections cause completely unnecessary downtime that, in and of itself, is harmful to individuals and businesses. Why not take the bastards out? Nothing of value would be lost.

    1. Re:Is there any reason why? by Anonymous Coward · · Score: 1

      For one reason, it would be quite difficult to know exactly where these people are based, let alone that there's one-one else near by.

    2. Re:Is there any reason why? by Anonymous Coward · · Score: 0

      > Why not take the bastards out?

      Your "Tomahawk Cruise Missile" solution, or any fiat solution, requires something like a lat/lon of the malefactors. Fairly certain that hasn't been determined yet, and that hiding identity and location is the number one priority for bad actors like this.

    3. Re: Is there any reason why? by Anonymous Coward · · Score: 0

      They have to commit quite a lot of more scams before their total theft would equate the cost of a single tomahawk missile.

    4. Re: Is there any reason why? by Sperbels · · Score: 2

      Yes, but the satisfaction gained expending a missile for this purpose makes it worthwhile.

    5. Re:Is there any reason why? by Anonymous Coward · · Score: 1

      Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption? Or maybe even cheaper solution is to shell out $50K to trace the Tor logs and pinpoint the servers of this Erebus ransomware.

    6. Re: Is there any reason why? by F.Ultra · · Score: 2

      Well, you now have an idea for a new Kickstarter!

    7. Re:Is there any reason why? by Anonymous Coward · · Score: 0

      Anywhere north of the 38th parallel is good enough.

    8. Re:Is there any reason why? by omnichad · · Score: 1

      Globally?

    9. Re:Is there any reason why? by Anonymous Coward · · Score: 0

      *sigh* the peninsula, you big dummy!

    10. Re:Is there any reason why? by Anonymous Coward · · Score: 0

      I dunno, I think bombing everything north of the 38th parallel globally would solve a lot of problems

    11. Re:Is there any reason why? by mike.mondy · · Score: 1

      Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption?

      They say ten days to decrypt? I imagine the encryption took multiple days too. They should have had a good chance at finding a machine where it was still running.

      The most recent linux ransomware I've seen was the so-called "motd virus" that used a simplistic python script to do AES-128 encryption with a 512 bit key. That's symmetric. With it running for days as an ordinary process, you can probably spot it and get a core image. It would only take a fraction of a day to try every set of contiguous 512 bits from that image as a key.

      Of course, backups are better. But, if they're not using asymmetric encryption and if you can get a process image or an OS image, you can probably search for the key. On a similar note, for wannacry on Windows they found the prime numbers related to the key in memory even after the encryption process was complete.

  7. Once again by mfh · · Score: 3, Insightful

    A Trend Micro analysis of the Nayana systems reveals endemic problems. It is no surprise that the hosting provider fell victim to this infection.

    Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?

    IT Guy: "We need to upgrade our servers."

    Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"

    IT Guy: {{okay.png}}

    The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

    Oh wait. Maybe it was an inside job?

    The gnuplot thickens!

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Once again by s1d3track3D · · Score: 3, Funny

      Oh wait. Maybe it was an inside job?

      NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.

      With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?

    2. Re:Once again by Mashiki · · Score: 1

      Oh wait. Maybe it was an inside job?

      This is my guess...or it was someone who managed to talk themselves in through the door. That's one's becoming quite popular too, all you need is someone that's a good bullshitter to pull it off. Remember that bank job(Bangladesh) a year or so back? That one has a lot of inside job markers to it too.

      --
      Om, nomnomnom...
    3. Re:Once again by Anonymous Coward · · Score: 0

      Oh wait. Maybe it was an inside job?

      Spot on. There are chances that this is an inside job by the web hosting company itself. That's according to IT security statistics. More than 90% of breaches were insider attacks.

    4. Re:Once again by Tablizer · · Score: 2

      Once again, a company is managed by sales guys not tech guys.

      Investors may know and accept the trade-offs. Slimy salesy companies often can and do grow big and make investors wealthy.

      I don't know what percent of investors are that way, but there are sufficient numbers to keep plenty of slimers afloat. Big investors can spread the risk so that no one slimer flame-out ruins their aggregate portfolio. They are playing the averages.

      --
      Table-ized A.I.
    5. Re:Once again by omnichad · · Score: 1

      If everyone's inside, then it's an inside job!

    6. Re:Once again by MtHuurne · · Score: 1

      The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

      Oh wait. Maybe it was an inside job?

      No, it just means that more than one exploit had to be used: a remote exploit to get any code running on the machine and a local exploit to get root privileges. With a system that hasn't been updated in almost a decade, there would be plenty of local exploits to choose from though.

    7. Re: Once again by Anonymous Coward · · Score: 0

      Think inside the box

    8. Re:Once again by hairyfeet · · Score: 1

      Hell they could have done the old "drop a couple flash sticks in the parking lot next to where the PHBs park" trick, you'd be fricking amazed at how often stupid people will just pick up a stick from God knows where and stick it into their PCs.

      One thing is for sure whomever they had that didn't make sure they had functional backups, be it IT, be it an MBA (Masters of Being Assholes) that didn't pay for the gear and/or manpower IT needed to have backups, or legal who didn't write a "the user is responsible for their own backups" clause in the contract should be so very FIRED because this is seriously Mickey Mouse amateur hour shit.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  8. "153 Linux servers" ... uh-oh by Anonymous Coward · · Score: 1

    The take-away line for me was at the end where it mentions the affected machines are 153 Linux servers that got encrypted. Linux. Let that sink in. Unless these were VM's running on a Windows hosting base, Linuxland has a large threat to face.

    1. Re:"153 Linux servers" ... uh-oh by sqorbit · · Score: 2

      I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing. Again, this was an attack on systems that were not updated properly. If known vulnerabilities are out there and you are not updating your system. The OS developer has done their job and patched the security hole. You have not done your job in updating your systems. There is no excuse for a web hosting company not updating systems when they have huge amounts of public facing IP addresses.

      --
      Sent from my TARDIS
    2. Re:"153 Linux servers" ... uh-oh by Solandri · · Score: 1

      Actually, my hunch would be these were Linux file servers. And an infected Windows machine with root-level access to the file shares on these servers encrypted everything. This is the reason we keep telling people that you need an offline backup. Ransomware will simply encrypt an always-online backup along with the computer's files.

    3. Re:"153 Linux servers" ... uh-oh by Anonymous Coward · · Score: 0

      You assume that the attack came via Linux. If my company got nailed by this, it would have encrypted a "Linux Server" because that's where my file shares are, even though the attack would likely have run on Windows.

    4. Re:"153 Linux servers" ... uh-oh by Anonymous Coward · · Score: 0

      Apparently your hunch is wrong, they were (TFA says) just ancient Linux installations.

    5. Re:"153 Linux servers" ... uh-oh by markdavis · · Score: 1

      Adjust your takeaway... At first I was surprised too, but then discovered it seems their servers had not been updated in something like 9 years! That has little to do with being Linux and a lot to do with zero maintenance.

    6. Re:"153 Linux servers" ... uh-oh by Anonymous Coward · · Score: 0

      "I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing"
      Almost every publicized Windows exploit could have been negated if the systems had been current with their updates and patches but that has never stopped people from blaming MS for having crappy software. Along comes a story about Linux being compromised and suddenly everyone wants to present a more fair and balanced assessment and blame poor system administration instead of the software. And both the MS and Linux OS's can be easily exploited because the software was not configured correctly. There are hundreds of ways an idiot can take perfectly secure software and turn it into something a 3 year old could exploit.

  9. Poison Pill by Anonymous Coward · · Score: 0

    You would think that Bitcoin would be able to come up with a "poison pill" or something similar that allows companies to "pay" their ransom, but the coins dissolve (or send out a tracking beacon!) after some time has passed.

    1. Re:Poison Pill by Anonymous Coward · · Score: 2, Interesting

      Trouble is, as soon as you had something like that, it would end up used for fraudulent transactions during normal purchases. I could buy a $800 phone from you, wait until I get the phone, then the bitcoins I paid you with disappear.

    2. Re:Poison Pill by avandesande · · Score: 1, Informative

      every transaction is here https://blockchain.info/

      --
      love is just extroverted narcissism
    3. Re:Poison Pill by david_thornley · · Score: 1

      You can trace bitcoins from wallet to wallet. Figuring out who the wallets belong to is more of a problem, particularly if they're in another country.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  10. Well look who just went out of business! by Dan1701 · · Score: 5, Funny

    If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:

    1) You are stupid enough to pay ransoms.
    2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
    3) You have the money to pay these ransoms.

    In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.

    These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.

    This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.

    1. Re:Well look who just went out of business! by itamihn · · Score: 4, Interesting

      Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.

    2. Re:Well look who just went out of business! by Anonymous Coward · · Score: 0

      The worst part of making it public is not having any customers anymore, once the customers get their data back.

    3. Re:Well look who just went out of business! by Mashiki · · Score: 1

      Yes in many countries. But it wouldn't surprise me to hear that the police are involved in some way in order to try and find out who is trying to blackmail them. That does happen from time to time, and they use big media blitz's like this to try and flush people out.

      --
      Om, nomnomnom...
    4. Re:Well look who just went out of business! by Anonymous Coward · · Score: 2, Insightful

      Also, they just armed a criminal group with enough money to fund their next attack. Thanks for nothing.

    5. Re:Well look who just went out of business! by Anonymous Coward · · Score: 0

      I dunno. Can you be prosecuted for giving your wallet to a mugger? I guess if you could be it might discourage people from reporting robberies, and then the government would be able to claim that the crime rate had gone down. Not sure what else it would achieve, though.

    6. Re:Well look who just went out of business! by PoopJuggler · · Score: 1

      OR, the negotiations were just to buy investigators more time to setup a sting and the entire payment is bait. Like when a bank gives robbers money but hides a dye-pack in the sack.

    7. Re:Well look who just went out of business! by F.Ultra · · Score: 3, Insightful

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

    8. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      For one it would make the muggers jobs easier since the victims would incriminate themselves if they reported the crime so basically home run for the muggers!

    9. Re: Well look who just went out of business! by Anonymous Coward · · Score: 0

      Except Bitcoin...

    10. Re: Well look who just went out of business! by Anonymous Coward · · Score: 1

      It's okay, the dye pack is digital.

    11. Re:Well look who just went out of business! by Anonymous Coward · · Score: 0

      It's a whore mentality indeed. South Koreans are good at writing exams, copying technology and out-slaving their competitors, and f*** all else. They're also racists. The entire country runs on Windows. Suckers^2

    12. Re:Well look who just went out of business! by Anonymous Coward · · Score: 3, Informative

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

      Here's one; Canada.

      http://nationalpost.com/news/c...

    13. Re: Well look who just went out of business! by PoopJuggler · · Score: 1

      Bitcoin is not as anonymous as you might think.

    14. Re: Well look who just went out of business! by Anonymous Coward · · Score: 0

      Depends if you mean before or after you go through mixers...

    15. Re:Well look who just went out of business! by Bert64 · · Score: 1

      You don't "give" your wallet to a mugger, the mugger takes it from you forcibly. Even if you physically hand it over, you have done so under duress during the act of being mugged.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    16. Re: Well look who just went out of business! by religionofpeas · · Score: 1

      It's perfectly anonymous to receive the coins in a fresh address. Spending them is a bit trickier, but if you're not in a hurry, you can do that a few years later, maybe from a open WiFi network somewhere in a parking lot during vacation abroad.

    17. Re:Well look who just went out of business! by AmiMoJo · · Score: 1

      It's illegal in the UK if you know or could reasonably expect the funds will go towards terrorism. Basic criminals though, you can pay them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    18. Re:Well look who just went out of business! by david_thornley · · Score: 1

      Muggers don't have to take it by force, if they've got a good enough threat. In this case, the hosting company was in really deep doo-doo if they couldn't get their files back, so that looks a lot like duress to me.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    19. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      Of course both UK and US would go completely bananas when it comes to terrorists, don't know why I didn't see that one coming.

    20. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      Seams to be only because it's about teh terrorists (which of course still makes your claim valid)

  11. Why is this not illegal? by Anonymous Coward · · Score: 0

    They're funding this by making the decision to give so much money to criminals. Now the criminals can afford to break the law even more. This is just like how Republicans like Trump give guns to criminals so that they can use them to steal money so they can afford even more guns to steal even more. The feedback loop means that all thinking people are slaves to the gun owners.

  12. Dog bites man by Anonymous Coward · · Score: 0

    Embezzlers at corporations as well as government agencies walk away with stuff like this every day.

  13. 10 days? by mnemotronic · · Score: 2

    If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it? So :
    1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
    2. Didn't any of the customers notice their data disappearing?
    3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
    1. Re:10 days? by Anonymous Coward · · Score: 0

      If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it?
      Maybe decrypt and then reinstall server OS to remove the malware completely, which would take 10 days for them, but the encryption was most probably faster than decryption and cleanup of systems.

      If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?
      Ransomwares won't decrypt files without the private keys from C&C servers. Bitcoin is needed before those private keys are handed over to their victims.

      captcha: teenage (are you?)

    2. Re:10 days? by chuckugly · · Score: 2

      I'm not a ransomware author, but if I were I'd filter the I/O requests such that as I encrypted files, I would decrypt them on the fly as they were demanded until I was finished. Then I would possibly continue until my peers were also finished, and then probably raise the demand.

      I would be a little surprised (and sort of oddly disappointed) if this isn't how this class of ransomware works. Doing this is not rocket surgery.

  14. The lawsuits ... by dasgoober · · Score: 1

    ... probably would've cost them more.
    Then, lost customers.

    Well played, ransomers, well played

  15. end this by Ryanrule · · Score: 1

    charge them for conspiring with and funding criminals

    1. Re:end this by F.Ultra · · Score: 1

      That would just make matters worse. If you criminalize the victims you just make them less likely to involve the police and the criminals can operate far easier without risking getting caught (if no one files any charges then no one will be chasing them and the victims want's their data back).

    2. Re:end this by Ryanrule · · Score: 1

      Great, thats a second conspiracy charge.

    3. Re:end this by F.Ultra · · Score: 1

      Which opens you up for endless blackmail. #1 install ransomware. #2 collect ransom-money. #3 blackmail victim that you will tell the authorities that they did pay your ransom. #4 profit for ever.

  16. Banks are the major clients of Nayana it seems by Anonymous Coward · · Score: 0

    I remember these dates were similar to some banks going offline because of database errors.
    According to some tech sites the ransomware which attacked Nayana is Erebus.

    1. Re:Banks are the major clients of Nayana it seems by Dunbal · · Score: 4, Interesting

      So here's a funny story. Your database gets encrypted. You don't have a backup so you pay a ransom. IF the bad guy is nice, you get a key to decrypt your database again. Since you don't have any sort of backup to compare it to.... how the fuck do you know they haven't inserted/deleted/modified anything in there as well? You don't until things start happening. Even better, the bad guys know that you don't, because you were dumb enough to tell them by paying the ransom. Welcome to phase 2 of your security nightmare. You are now their bitch.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Banks are the major clients of Nayana it seems by zlives · · Score: 1

      our faith at FaithfUl baCK UPs is that criminals are not that mean.

    3. Re:Banks are the major clients of Nayana it seems by Bert64 · · Score: 1

      If they want to backdoor your database, they had the access to do so without drawing attention to their presence by demanding a ransom...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Banks are the major clients of Nayana it seems by Dunbal · · Score: 1

      they had the access to do so without drawing attention to their presence by demanding a ransom...

      That doesn't put money in your pocket like a ransom does.

      --
      Seven puppies were harmed during the making of this post.
  17. Seriously by Dunbal · · Score: 1

    pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

    Any company stupid enough that they have to pay ransom in the hope of getting their data back (there's a good chance they won't) deserve to go broke. BACKUPS. CONTINGENCY PLANS. Yeah it takes time and money but it's a lot fucking cheaper than sending random criminals millions of dollars and then listening to the sound of them laughing at you when they simply disappear with the money.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Seriously by F.Ultra · · Score: 1

      From TFA they installed the servers 8 years ago and have not applied a single patch since. I would say that they already proved to be stupid there and then.

  18. This is what DR is for by roc97007 · · Score: 1

    What, they had no DR strategy? This type of incident is just what DR is for. Your data is a smoking hole in the ground. Now, rebuild. You have 24 hours.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  19. Bad headline by strikethree · · Score: 1

    Headline should say, "Company would rather pay million dollar ransom than pay for competent help"

    Who cares? Why is this is on Slashdot? We all already know. The situation is predictable and happens all the time. Water is wet, news at 11.

    --
    "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  20. Guarantee? by AlanObject · · Score: 1

    So how do you pay $1M (or any amount) of bitcoin to a the ransomware owners without getting some sort of guarantee from them that they will actually deliver the decrypt key? You just send the transaction and hope they hold up their end of the bargain?

    If they were in communication with the bad guys, that means there is some communication trail back to them. I can't see savvy malware people exposing themselves that way.

  21. So there is a switch to delay deletion by ayesnymous · · Score: 1

    The ransomware writers allowed them to pay the rest later, so they had to tell the ransomware to postpone the deletion of files.

  22. After.. by Anonymous Coward · · Score: 0

    lets assume there is some honour amongst theives and eventually everything is given back somehow. Who would remain with these hosts ?

    Nobody, with half a brain will, and who would think any data is now accurate and not modified.?

  23. Thanks, America by Anonymous Coward · · Score: 0

    NSA, CIA, the spying and sabotaging of foreign countries infrastructure, and the leaking of purposely made security holes allowing others to do the same, are all symptoms of America and the American citizen's attitude to the outside world.

    The sooner you kick the Americans out, the better, and you should always assume they are doing everything to break in.

  24. This problem is not going to go away unless.... by dr.Flake · · Score: 1

    Word needs te get out, that secret service organizations have started to see this behavior of criminals as a threat to national security / national interests.

    When MI5 / CIA / FSB people start making people wake up with their testicles in a glass on the nightstand, the willingness of talented hackers to go for the "easy" money will decrease. Till then, every talented guy living in a shithole in eastern Uzbekistan will see this method as a way out of his shitty live.

    --
    Why are other peoples sig's always more witty ???
  25. Negotiating with terrorists by Anonymous Coward · · Score: 0

    Great job guys. You just fed an organised crime group. They'll spend it wisely on weapons, kidnappings, murders, and other abuse that will make them even more money. And what for? A bunch of websites?

  26. If only they had been running Linux by blackpaw · · Score: 1

    They would have been safe! because you know, Linux!

    And who cares if a windows server got infected because it was never patched - still all windows fault!

  27. Are offline backups of out style? by Anonymous Coward · · Score: 0

    I'm just a small video game developer, and maybe I'm neurotic/not in vogue, but I only feel good when I have 2 offline backups of assets and important builds in addition to whatever online backups I have.

    The hardware costs and effort are trivial compared to a catastrophe. (Plus I just like having more computer hardware.)

    In my mind, "an ounce of prevention is worth a pound of the cure" is an understatement.