Slashdot Mirror

← Back to Stories (view on slashdot.org)

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com)

Posted by msmash on from the folding-up dept.

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

21 of 100 comments (clear)

  1. WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Insightful

    So, outside of the question of where are all your backups, dB logging, aux-copy, snapshots, etc... How did this happen?? (reads bottom part of article)..

    Nevermind....

    1. Re:WTF --- So, no backups, at all? by HumanWiki · · Score: 5, Informative

      Backing up User VMs is trivial. So is a snapshot system. Most all the major hypervisor makers have this built in and there are also plenty of free ware things to do this as well..

      You can run Hyper-V, with free Veeam and with some scheduled task stuff from Task Scheduler or a Jenkins systems, you can kick of Powershell code that will automagically find all your VMs, even in a non-clustered pool (so long as you registered the hosts in Veeam free), and then back them all up as full sets, with compression and/or encryption to a NAS device of some sort.

      Restoring is also easily done AND you can restore the whole machine as it was at the stun/snap, registered, powered on and everything, restore just the VM filesets to manually register and start or you can do varying levels of OS level file restore for just those files that got mucked up.

      This stuff is pretty easy to do and low cost.

    2. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 3, Interesting

      That is too true.

      My old company I used to work for would not listen to me the IT manager, as the IT Director (Who was known as Can't Understand New Technology) inisted we only need one backup tape to backup the company data and insisted we kept the tape in his office. Needless to say I had all the memo's to backup (no pun) my position on this and many other matters. Well we had a fire, the tape got burnt and the servers were also fried and bang NO DATA, the company quickly sacked the IT manager with a 2 finger payoff.

    3. Re:WTF --- So, no backups, at all? by Anonymous Coward · · Score: 2, Insightful

      I do not know how many times I have heard a DBA or System Admin claim that they had sound backups... because legato (etc...) server said they did, only to find out that they had no usable backup tapes when something bad did happen and they had to recover.

      There is a significant cost to testing the recovery of backups and many companies do not test to make certain that the backups they are running have any value at all

    4. Re:WTF --- So, no backups, at all? by Dunbal · · Score: 3, Informative

      Storing thousands (if not many many more) of VM backups for customers for free is "low cost"?

      If you wrote out the contract properly then you made sure that user backups are the user's responsibility, in which case you don't have to pay a single penny ransom because you don't owe anyone anything. Well you could be nice and take snapshots once a week or something and if users complain you point to the appropriate clause in the contract. There is NO excuse. None. You're trying to justify idiocy. Don't. It just makes you look bad too.

      --
      Seven puppies were harmed during the making of this post.
  2. "You know... by cirby · · Score: 5, Insightful

    "It's a lot cheaper for us to hire some really awful people to find you and get the money back, so why don't you just hand over the encryption keys right now?

  3. Once again by mfh · · Score: 3, Insightful

    A Trend Micro analysis of the Nayana systems reveals endemic problems. It is no surprise that the hosting provider fell victim to this infection.

    Once again, a company is managed by sales guys not tech guys. What could possibly go wrong?

    IT Guy: "We need to upgrade our servers."

    Business guy: "That costs too much. Don't bring suggestions like that to a meeting again!"

    IT Guy: {{okay.png}}

    The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.

    Oh wait. Maybe it was an inside job?

    The gnuplot thickens!

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Once again by s1d3track3D · · Score: 3, Funny

      Oh wait. Maybe it was an inside job?

      NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. [...] Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.

      With versions like this, who doesn't have a remote shell account with elevated privileges on their servers!?

    2. Re:Once again by Tablizer · · Score: 2

      Once again, a company is managed by sales guys not tech guys.

      Investors may know and accept the trade-offs. Slimy salesy companies often can and do grow big and make investors wealthy.

      I don't know what percent of investors are that way, but there are sufficient numbers to keep plenty of slimers afloat. Big investors can spread the risk so that no one slimer flame-out ruins their aggregate portfolio. They are playing the averages.

      --
      Table-ized A.I.
  4. Well look who just went out of business! by Dan1701 · · Score: 5, Funny

    If you pay the ransom in secret, then the guys who set you up this time now know a three of useful things:

    1) You are stupid enough to pay ransoms.
    2) You are stupid enough to run vulnerable systems which make setting up the demand possible.
    3) You have the money to pay these ransoms.

    In short, you just lit up an enormous great SUCKER sign right up above your heads, but only for the criminal group that ran the fiddle.

    These utter idiots have however publicly said that they paid the ransom. Now every script kiddie on the planet knows those three facts, and they are ALL going to be gunning for the known-rich suckers.

    This company can be counted as dead and gone right now. If you own stock in it, get rid soonest, before it becomes worthless.

    1. Re:Well look who just went out of business! by itamihn · · Score: 4, Interesting

      Also, can they be prosecuted for these payments? They are in the end sending money to an illegal organisation.

    2. Re:Well look who just went out of business! by Anonymous Coward · · Score: 2, Insightful

      Also, they just armed a criminal group with enough money to fund their next attack. Thanks for nothing.

    3. Re:Well look who just went out of business! by F.Ultra · · Score: 3, Insightful

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

    4. Re:Well look who just went out of business! by Anonymous Coward · · Score: 3, Informative

      Please list any democratic country where it's illegal to pay a ransom. Paying a ransom is not equated with supporting a illegal organisation or as fencing in any jurisdiction that I'm aware of. Any attempt to make such payments would only yield one end result; the victims would be extremely less motivated to involve the police.

      Here's one; Canada.

      http://nationalpost.com/news/c...

  5. Re:"153 Linux servers" ... uh-oh by sqorbit · · Score: 2

    I don't believe that you can blame Linux or Windows when updating and patching your systems avoids this type of thing. Again, this was an attack on systems that were not updated properly. If known vulnerabilities are out there and you are not updating your system. The OS developer has done their job and patched the security hole. You have not done your job in updating your systems. There is no excuse for a web hosting company not updating systems when they have huge amounts of public facing IP addresses.

    --
    Sent from my TARDIS
  6. Re:Poison Pill by Anonymous Coward · · Score: 2, Interesting

    Trouble is, as soon as you had something like that, it would end up used for fraudulent transactions during normal purchases. I could buy a $800 phone from you, wait until I get the phone, then the bitcoins I paid you with disappear.

  7. 10 days? by mnemotronic · · Score: 2

    If it takes 10 days to decrypt the data, wouldn't it have taken at least that long to encrypt it? So :
    1. Didn't any of the Nayana admins notice any unusual activity? I'm guessing not, given the breadth and depth of their other server configuration shortcomings.
    2. Didn't any of the customers notice their data disappearing?
    3. If a new file is added to the system at this point will it be encrypted? If an existing encrypted PDF file is renamed with an extension/type NOT in the encryption type list, will it get decrypted?

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
    1. Re:10 days? by chuckugly · · Score: 2

      I'm not a ransomware author, but if I were I'd filter the I/O requests such that as I encrypted files, I would decrypt them on the fly as they were demanded until I was finished. Then I would possibly continue until my peers were also finished, and then probably raise the demand.

      I would be a little surprised (and sort of oddly disappointed) if this isn't how this class of ransomware works. Doing this is not rocket surgery.

  8. Re: Is there any reason why? by Sperbels · · Score: 2

    Yes, but the satisfaction gained expending a missile for this purpose makes it worthwhile.

  9. Re: Is there any reason why? by F.Ultra · · Score: 2

    Well, you now have an idea for a new Kickstarter!

  10. Re:Banks are the major clients of Nayana it seems by Dunbal · · Score: 4, Interesting

    So here's a funny story. Your database gets encrypted. You don't have a backup so you pay a ransom. IF the bad guy is nice, you get a key to decrypt your database again. Since you don't have any sort of backup to compare it to.... how the fuck do you know they haven't inserted/deleted/modified anything in there as well? You don't until things start happening. Even better, the bad guys know that you don't, because you were dumb enough to tell them by paying the ransom. Welcome to phase 2 of your security nightmare. You are now their bitch.

    --
    Seven puppies were harmed during the making of this post.