Slashdot Mirror

← Back to Stories (view on slashdot.org)

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com)

Posted by msmash on from the folding-up dept.

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

68 of 100 comments (clear)

  1. WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Insightful

    So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..

    Nevermind....

    1. Re:WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Informative

      Backing up User VMs is trivial. So is a snapshot system. Most all the major hypervisor makers have this built in and there are also plenty of free ware things to do this as well..

      You can run Hyper-V, with free Veeam and with some scheduled task stuff from Task Scheduler or a Jenkins systems, you can kick of Powershell code that will automagically find all your VMs, even in a non-clustered pool (so long as you registered the hosts in Veeam free), and then back them all up as full sets, with compression and/or encryption to a NAS device of some sort.

      Restoring is also easily done AND you can restore the whole machine as it was at the stun/snap, registered, powered on and everything, restore just the VM filesets to manually register and start or you can do varying levels of OS level file restore for just those files that got mucked up.

      This stuff is pretty easy to do and low cost.

    2. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 3, Interesting

      That is too true.

      My old company I used to work for would not listen to me the IT manager, as the IT Director (Who was known as Can't Understand New Technology) inisted we only need one backup tape to backup the company data and insisted we kept the tape in his office. Needless to say I had all the memo's to backup (no pun) my position on this and many other matters. Well we had a fire, the tape got burnt and the servers were also fried and bang NO DATA, the company quickly sacked the IT manager with a 2 finger payoff.

    3. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 2, Insightful

      I do not know how many times I have heard a DBA or System Admin claim that they had sound backups... because legato (etc...) server said they did, only to find out that they had no usable backup tapes when something bad did happen and they had to recover.

      There is a significant cost to testing the recovery of backups and many companies do not test to make certain that the backups they are running have any value at all

    4. Re:WTF --- So, no backups, at all? by Dunbal · · Score: 3, Informative

      Storing thousands (if not many many more) of VM backups for customers for free is "low cost"?

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything. Well you could be nice and take snapshots once a week or something and if users complain you point to the appropriate clause in the contract. There is NO excuse. None. You're trying to justify idiocy. Don't. It just makes you look bad too.

      --
      Seven puppies were harmed during the making of this post.
    5. Re:WTF --- So, no backups, at all? by Bert64 · · Score: 1

      Depends what kind of service the customers bought and how much they paid for it..
      Unless the hosting provider guaranteed uptime or offered backups as part of the service, they can just say "catastrophic data loss, heres a new blank vm" and that's it. No different to if the building burned down or whatever.

      Also, perhaps they were doing backups, but did so to an online target that also got hit by the ransomware? It's not uncommon for backups to be performed to online storage like this, as people usually think of backups as a way to mitigate hardware failure and don't plan for things like intentional destruction of data.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re: WTF --- So, no backups, at all? by corychristison · · Score: 1

      Object storage has made proper archival backups for my company a little more manageable and more affordable.

      Each server creates incremental backups of the necessary data every 8 hours (os config files, selective filesystem data, database dumps, etc).

      From there the backup files are replicated into our backup cluster. The backup cluster then encrypts and replicates it all into both OVH's object storage and Backblaze's B2 object storage. The cluster only keeps the most recent 7 days on hand.

      In object storage, we keep 6 weeks or so. Total cost for ~28TB is only about $300/mo between the two copies.

    7. Re:WTF --- So, no backups, at all? by AmiMoJo · · Score: 1

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

      Yeah.... When it emerges that you were running a kernel from 2008 and Apache/PHP from 2006, as TFA says they were, if you want your business to survive you had better make some effort to atone for your gross incompetence. In the current market place there are plenty of similarly priced hosting providers who also offer software from this decade.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:WTF --- So, no backups, at all? by strikethree · · Score: 1

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything.

      Hm... kind of. Any business contract that allowed the company to fail in providing services to the customers with no penalties would be a rather odd thing. Meaning, yeah, the customer likely could not sue for loss of data, but it was the hosting company servers that were compromised, not the customers servers (of course customer servers were affected because they ride on top of company servers, but that is not the point).

      Long story short, yeah, the hosting company will not likely be held liable for the loss of customer data but the hosting company can and will be held liable for the extended loss of service, which means they should have had backups, which is how this conversation was started. Proper backups would have allowed them to restore business operations within a much shorter time frame... and possibly garnered some good will from their customers if customer data had been backed up as well.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  2. Same kind of story happend every using cash by JcMorin · · Score: 1

    While this is new from the concept of internet transfer, the same kind of story happened every for debt payment regarding drugs or gambling. Don't start blame Bitcoin on that... bad guys just use the best technology around as usual.

  3. North Korea thanks you for your payment by WillAffleckUW · · Score: 1

    What, you thought it was the Chinese?

    Lol.

    --
    -- Tigger warning: This post may contain tiggers! --
  4. "You know... by cirby · · Score: 5, Insightful

    "It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?

    1. Re:"You know... by Anonymous Coward · · Score: 1

      Or if Nayana had just put some get-out-of-responsibility-free clause in their user contracts

  5. Once again by mfh · · Score: 3, Insightful

    A Trend Micro analysis of the Nayana systems reveals endemic problems. It is no surprise that the hosting provider fell victim to this infection.

    Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?

    IT Guy: "We need to upgrade our servers."

    Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"

    IT Guy: {{okay.png}}

    The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

    Oh wait. Maybe it was an inside job?

    The gnuplot thickens!

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Once again by s1d3track3D · · Score: 3, Funny

      Oh wait. Maybe it was an inside job?

      NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.

      With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?

    2. Re:Once again by Mashiki · · Score: 1

      Oh wait. Maybe it was an inside job?

      This is my guess...or it was someone who managed to talk themselves in through the door. That's one's becoming quite popular too, all you need is someone that's a good bullshitter to pull it off. Remember that bank job(Bangladesh) a year or so back? That one has a lot of inside job markers to it too.

      --
      Om, nomnomnom...
    3. Re:Once again by Tablizer · · Score: 2

      Once again, a company is managed by sales guys not tech guys.

      Investors may know and accept the trade-offs. Slimy salesy companies often can and do grow big and make investors wealthy.

      I don't know what percent of investors are that way, but there are sufficient numbers to keep plenty of slimers afloat. Big investors can spread the risk so that no one slimer flame-out ruins their aggregate portfolio. They are playing the averages.

      --
      Table-ized A.I.
    4. Re:Once again by omnichad · · Score: 1

      If everyone's inside, then it's an inside job!

    5. Re:Once again by MtHuurne · · Score: 1

      The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

      Oh wait. Maybe it was an inside job?

      No, it just means that more than one exploit had to be used: a remote exploit to get any code running on the machine and a local exploit to get root privileges. With a system that hasn't been updated in almost a decade, there would be plenty of local exploits to choose from though.

    6. Re:Once again by hairyfeet · · Score: 1

      Hell they could have done the old "drop a couple flash sticks in the parking lot next to where the PHBs park" trick, you'd be fricking amazed at how often stupid people will just pick up a stick from God knows where and stick it into their PCs.

      One thing is for sure whomever they had that didn't make sure they had functional backups, be it IT, be it an MBA (Masters of Being Assholes) that didn't pay for the gear and/or manpower IT needed to have backups, or legal who didn't write a "the user is responsible for their own backups" clause in the contract should be so very FIRED because this is seriously Mickey Mouse amateur hour shit.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  6. Re:Is there any reason why? by Anonymous Coward · · Score: 1

    For one reason, it would be quite difficult to know exactly where these people are based, let alone that there's one-one else near by.

  7. "153 Linux servers" ... uh-oh by Anonymous Coward · · Score: 1

    The take-away line for me was at the end where it mentions the affected machines are 153 Linux servers that got encrypted. Linux. Let that sink in. Unless these were VM's running on a Windows hosting base, Linuxland has a large threat to face.

    1. Re:"153 Linux servers" ... uh-oh by sqorbit · · Score: 2

      I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing. Again, this was an attack on systems that were not updated properly. If known vulnerabilities are out there and you are not updating your system. The OS developer has done their job and patched the security hole. You have not done your job in updating your systems. There is no excuse for a web hosting company not updating systems when they have huge amounts of public facing IP addresses.

      --
      Sent from my TARDIS
    2. Re:"153 Linux servers" ... uh-oh by Solandri · · Score: 1

      Actually, my hunch would be these were Linux file servers. And an infected Windows machine with root-level access to the file shares on these servers encrypted everything. This is the reason we keep telling people that you need an offline backup. Ransomware will simply encrypt an always-online backup along with the computer's files.

    3. Re:"153 Linux servers" ... uh-oh by markdavis · · Score: 1

      Adjust your takeaway... At first I was surprised too, but then discovered it seems their servers had not been updated in something like 9 years! That has little to do with being Linux and a lot to do with zero maintenance.

  8. Well look who just went out of business! by Dan1701 · · Score: 5, Funny

    If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:

    1) You are stupid enough to pay ransoms.
    2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
    3) You have the money to pay these ransoms.

    In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.

    These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.

    This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.

    1. Re:Well look who just went out of business! by itamihn · · Score: 4, Interesting

      Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.

    2. Re:Well look who just went out of business! by Mashiki · · Score: 1

      Yes in many countries. But it wouldn't surprise me to hear that the police are involved in some way in order to try and find out who is trying to blackmail them. That does happen from time to time, and they use big media blitz's like this to try and flush people out.

      --
      Om, nomnomnom...
    3. Re:Well look who just went out of business! by Anonymous Coward · · Score: 2, Insightful

      Also, they just armed a criminal group with enough money to fund their next attack. Thanks for nothing.

    4. Re:Well look who just went out of business! by PoopJuggler · · Score: 1

      OR, the negotiations were just to buy investigators more time to setup a sting and the entire payment is bait. Like when a bank gives robbers money but hides a dye-pack in the sack.

    5. Re:Well look who just went out of business! by F.Ultra · · Score: 3, Insightful

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

    6. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      For one it would make the muggers jobs easier since the victims would incriminate themselves if they reported the crime so basically home run for the muggers!

    7. Re: Well look who just went out of business! by Anonymous Coward · · Score: 1

      It's okay, the dye pack is digital.

    8. Re:Well look who just went out of business! by Anonymous Coward · · Score: 3, Informative

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

      Here's one; Canada.

      http://nationalpost.com/news/c...

    9. Re: Well look who just went out of business! by PoopJuggler · · Score: 1

      Bitcoin is not as anonymous as you might think.

    10. Re:Well look who just went out of business! by Bert64 · · Score: 1

      You don't "give" your wallet to a mugger, the mugger takes it from you forcibly. Even if you physically hand it over, you have done so under duress during the act of being mugged.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    11. Re: Well look who just went out of business! by religionofpeas · · Score: 1

      It's perfectly anonymous to receive the coins in a fresh address. Spending them is a bit trickier, but if you're not in a hurry, you can do that a few years later, maybe from a open WiFi network somewhere in a parking lot during vacation abroad.

    12. Re:Well look who just went out of business! by AmiMoJo · · Score: 1

      It's illegal in the UK if you know or could reasonably expect the funds will go towards terrorism. Basic criminals though, you can pay them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Well look who just went out of business! by david_thornley · · Score: 1

      Muggers don't have to take it by force, if they've got a good enough threat. In this case, the hosting company was in really deep doo-doo if they couldn't get their files back, so that looks a lot like duress to me.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    14. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      Of course both UK and US would go completely bananas when it comes to terrorists, don't know why I didn't see that one coming.

    15. Re:Well look who just went out of business! by F.Ultra · · Score: 1

      Seams to be only because it's about teh terrorists (which of course still makes your claim valid)

  9. Re:Poison Pill by Anonymous Coward · · Score: 2, Interesting

    Trouble is, as soon as you had something like that, it would end up used for fraudulent transactions during normal purchases. I could buy a $800 phone from you, wait until I get the phone, then the bitcoins I paid you with disappear.

  10. Re:Poison Pill by avandesande · · Score: 1, Informative

    every transaction is here https://blockchain.info/

    --
    love is just extroverted narcissism
  11. 10 days? by mnemotronic · · Score: 2

    If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it? So :
    1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
    2. Didn't any of the customers notice their data disappearing?
    3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
    1. Re:10 days? by chuckugly · · Score: 2

      I'm not a ransomware author, but if I were I'd filter the I/O requests such that as I encrypted files, I would decrypt them on the fly as they were demanded until I was finished. Then I would possibly continue until my peers were also finished, and then probably raise the demand.

      I would be a little surprised (and sort of oddly disappointed) if this isn't how this class of ransomware works. Doing this is not rocket surgery.

  12. The lawsuits ... by dasgoober · · Score: 1

    ... probably would've cost them more.
    Then, lost customers.

    Well played, ransomers, well played

  13. end this by Ryanrule · · Score: 1

    charge them for conspiring with and funding criminals

    1. Re:end this by F.Ultra · · Score: 1

      That would just make matters worse. If you criminalize the victims you just make them less likely to involve the police and the criminals can operate far easier without risking getting caught (if no one files any charges then no one will be chasing them and the victims want's their data back).

    2. Re:end this by Ryanrule · · Score: 1

      Great, thats a second conspiracy charge.

    3. Re:end this by F.Ultra · · Score: 1

      Which opens you up for endless blackmail. #1 install ransomware. #2 collect ransom-money. #3 blackmail victim that you will tell the authorities that they did pay your ransom. #4 profit for ever.

  14. Re: Is there any reason why? by Sperbels · · Score: 2

    Yes, but the satisfaction gained expending a missile for this purpose makes it worthwhile.

  15. Seriously by Dunbal · · Score: 1

    pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

    Any company stupid enough that they have to pay ransom in the hope of getting their data back (there's a good chance they won't) deserve to go broke. BACKUPS. CONTINGENCY PLANS. Yeah it takes time and money but it's a lot fucking cheaper than sending random criminals millions of dollars and then listening to the sound of them laughing at you when they simply disappear with the money.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Seriously by F.Ultra · · Score: 1

      From TFA they installed the servers 8 years ago and have not applied a single patch since. I would say that they already proved to be stupid there and then.

  16. Re:Is there any reason why? by Anonymous Coward · · Score: 1

    Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption? Or maybe even cheaper solution is to shell out $50K to trace the Tor logs and pinpoint the servers of this Erebus ransomware.

  17. Re: Is there any reason why? by F.Ultra · · Score: 2

    Well, you now have an idea for a new Kickstarter!

  18. Re:Banks are the major clients of Nayana it seems by Dunbal · · Score: 4, Interesting

    So here's a funny story. Your database gets encrypted. You don't have a backup so you pay a ransom. IF the bad guy is nice, you get a key to decrypt your database again. Since you don't have any sort of backup to compare it to.... how the fuck do you know they haven't inserted/deleted/modified anything in there as well? You don't until things start happening. Even better, the bad guys know that you don't, because you were dumb enough to tell them by paying the ransom. Welcome to phase 2 of your security nightmare. You are now their bitch.

    --
    Seven puppies were harmed during the making of this post.
  19. This is what DR is for by roc97007 · · Score: 1

    What, they had no DR strategy? This type of incident is just what DR is for. Your data is a smoking hole in the ground. Now, rebuild. You have 24 hours.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  20. Bad headline by strikethree · · Score: 1

    Headline should say, "Company would rather pay million dollar ransom than pay for competent help"

    Who cares? Why is this is on Slashdot? We all already know. The situation is predictable and happens all the time. Water is wet, news at 11.

    --
    "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  21. Re:Banks are the major clients of Nayana it seems by zlives · · Score: 1

    our faith at FaithfUl baCK UPs is that criminals are not that mean.

  22. Re:Is there any reason why? by omnichad · · Score: 1

    Globally?

  23. Guarantee? by AlanObject · · Score: 1

    So how do you pay $1M (or any amount) of bitcoin to a the ransomware owners without getting some sort of guarantee from them that they will actually deliver the decrypt key? You just send the transaction and hope they hold up their end of the bargain?

    If they were in communication with the bad guys, that means there is some communication trail back to them. I can't see savvy malware people exposing themselves that way.

  24. Re:Is there any reason why? by mike.mondy · · Score: 1

    Paying the ransom or using Tomahawk is a very expensive solution. Why not buy a $200K hardware and crack the RSA-2048 private key used for the encryption?

    They say ten days to decrypt? I imagine the encryption took multiple days too. They should have had a good chance at finding a machine where it was still running.

    The most recent linux ransomware I've seen was the so-called "motd virus" that used a simplistic python script to do AES-128 encryption with a 512 bit key. That's symmetric. With it running for days as an ordinary process, you can probably spot it and get a core image. It would only take a fraction of a day to try every set of contiguous 512 bits from that image as a key.

    Of course, backups are better. But, if they're not using asymmetric encryption and if you can get a process image or an OS image, you can probably search for the key. On a similar note, for wannacry on Windows they found the prime numbers related to the key in memory even after the encryption process was complete.

  25. So there is a switch to delay deletion by ayesnymous · · Score: 1

    The ransomware writers allowed them to pay the rest later, so they had to tell the ransomware to postpone the deletion of files.

  26. Re:Banks are the major clients of Nayana it seems by Bert64 · · Score: 1

    If they want to backdoor your database, they had the access to do so without drawing attention to their presence by demanding a ransom...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  27. This problem is not going to go away unless.... by dr.Flake · · Score: 1

    Word needs te get out, that secret service organizations have started to see this behavior of criminals as a threat to national security / national interests.

    When MI5 / CIA / FSB people start making people wake up with their testicles in a glass on the nightstand, the willingness of talented hackers to go for the "easy" money will decrease. Till then, every talented guy living in a shithole in eastern Uzbekistan will see this method as a way out of his shitty live.

    --
    Why are other peoples sig's always more witty ???
  28. If only they had been running Linux by blackpaw · · Score: 1

    They would have been safe! because you know, Linux!

    And who cares if a windows server got infected because it was never patched - still all windows fault!

  29. Re:Banks are the major clients of Nayana it seems by Dunbal · · Score: 1

    they had the access to do so without drawing attention to their presence by demanding a ransom...

    That doesn't put money in your pocket like a ransom does.

    --
    Seven puppies were harmed during the making of this post.
  30. Re:Poison Pill by david_thornley · · Score: 1

    You can trace bitcoins from wallet to wallet. Figuring out who the wallets belong to is more of a problem, particularly if they're in another country.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes