June 27, 2017
Christophe Bertrand

Epic Linux ransomware attack nets cybercriminals a cool $1M

On June 10, cyber criminals made history. Enabled by ransomware variant, Erebus, they netted a $1M USD ransomware payday—the largest ransom payment ever extorted from a business anywhere in the world.

The unlucky victim of this stunning attack? Nayana, a South Korean web hosting company.

The astronomical impact of this Erebus ransomware attack

The Erebus ransomware, initially detected on Microsoft systems in 2016, successfully infected 153 Linux servers and encrypted more than 3,400 Nayana customer websites.

Under intense customer pressure, Nayana committed to the largest ransomware payment in the history of cyber attacks. That much is crystal clear.

What was unusual, to a degree, was the fact that Nayana was able to successfully negotiate a smaller ransom. While cybercriminals originally demanded 550 Bitcoins, or approximately $1.6M USD, Nayana was able to reduce its payment to the extortionists by nearly a third.

Of course, submitting to ransom demands is always a risky business.

While Nayana agreed to make three payments, and the cyber attackers likewise agreed they’d enable Nayana to recover its Linux servers in three corresponding batches, servers in the second batch are experiencing database errors.

A service provider caught with its pants down

These astronomical figures beg the question: How could Nayana have permitted its core business to remain so vulnerable?

To be blunt: This was an epic failure on the part of the service provider. Any IT newbie would expect a large web hosting service provider like this to be hardened. Nayana wasn’t.

And, its vulnerabilities were practically begging to be exploited:

  • Nayana was operating on Linux kernel 2.6.24.2, compiled in 2008
  • Nayana’s website ran Apache v.1.3.36 and PHP v.5.1.4, both released in 2006

We simply can’t underscore the importance of immediately installing software updates and security patches enough.

Equally important, we urge all service providers to carefully assess their own vulnerabilities. This extraordinary payday means you’re an even greater target now, so count on ransomware attackers to try, try again.

Let go of your false sense of security: Linux is under threat

While ransomware attackers clearly favor Windows due to its greater market share, this massive Linux attack proves the operating system isn’t invulnerable. Linux encoders are becoming increasingly more sophisticated, and that means you must be vigilant when it comes to protecting your data.

What’s more, be wary of vendors that claim you’re more exposed if you’re running on Windows. That’s clearly no longer the case.

Protect your Linux environment from ransomware infection

If you’re operating on Linux-based systems, you absolutely must take the ransomware threat into consideration when developing your data protection strategy.

That begins with data security best practices, including:

  • Investing in regular, thorough ransomware training for your IT team and end users
  • Implementing robust, layered endpoint security, including antivirus and threat detection
  • Regularly backing up your critical systems to an offline target
  • Never emailing from any machine that hosts your backup server
  • Keeping software up-to-date and immediately installing OS security patches

When it comes to deploying an effective backup and recovery solution, it’s also critical to ensure it offers the robust capabilities and ease-of-use that will make executing your ransomware protection strategy simple and effective.

Arcserve UDP does just that with a powerful range of capabilities, including:

  • Instant VM for faster data recovery
  • File/folder-level recovery of Linux VMs backed up via agentless, host-based backups on vSphere and Hyper-V hosts
  • Global data deduplication
  • WAN-optimized replication
  • Infinite incremental backups
  • Archive to tape
  • Bare metal restore of Unified Extensible Firmware Interface systems
  • Ability to backup to and recover from recovery point server deduplication stores

Remember: At the end of the day, no amount of end user education or endpoint security will fully protect your business. Ransomware finds a way. And, that’s why investing in backup and recovery is so critical to your business continuity.

For more information about the Linux ransomware threat, check out this Linux ransomware blog post by backup and recovery industry thought leader, Christophe Bertrand. And, to learn more about ransomware recovery solutions, explore our Arcserve UDP solution suite.