June 20, 2017
On June 10, the South Korean hosting service NAYANA came under an attack which was mounted using the encryption ransomware Erebus (discovered by Trend Micro and dubbed RANSOM_ELFEREBUS.A (or Linux.Encoder.10 and Linux. Encoder.11 under the Dr.Web classification system)). As a result, 153 Linux servers and over 3,400 corporate sites hosted by the provider were infected.
A message published on June 12 on the company's site stated that the attackers involved had demanded an unprecedented ransom amount of 550 bitcoins (BT), which is equivalent to 1.65 million USD, to fully decrypt the files on all the servers that had been compromised.
On June 14, NAYANA announced that it had agreed to pay 397.6 BTC (about 1.01 million USD as of June 19, 2017) in instalments.
Security specialists view this case as an ordinary ransomware attack. Neglected software updates, configuration flaws, etc. But this is the largest ransom amount that has ever been paid to extortionists. And the most successful attack on Linux.
Who is to blame?
- The hosting provider didn't offer to create backups for its customers and didn't establish a«system to switch to if the existing infrastructure failed.
- Their customers relied upon the hosting infrastructure and didn't back up their data.
Successful attacks have been mounted against cloud service providers before, but none have drawn so much attention.
Doctor Web expects a sharp increase in the number of similar incidents.
And that’s because success stories of this sort encourage numerous copycats to appear. Perhaps, later on, the wave of attacks on providers of all kinds will decrease—or, perhaps, it will become a new trend just like the attacks on Linux did. It is too early to make predictions.
- If you store your data in a cloud and don't make backups, start doing it now, and make sure that you store them on servers belonging to a different provider, at home or in a different location.
- If you rent a cloud-based server, site, or service, it doesn't mean that you don't have to protect your data. Security is your concern. In addition to making backups, you need at minimum an anti-virus. One on your PC and in the cloud.
Dr.Web Server Security Suite (protects servers against malware) and Dr.Web Gateway Security Suite (scans inbound traffic and blocks access to dubious sites on the Internet) can provide protection for a service providers' infrastructure.
Dr.Web Enterprise Security Suite products provide protection for all corporate customers regardless of company size. Please pay special attention to the fact that anti-virus protection is necessary on the provider's end as well as on the customers' end (the corporate network and employee computers). This is the only way to protect against man-in-the-middle attacks..
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.