Ransomware is Coming for You, Sooner or Later



It appears that this ransomware thing might be here for a while.

Just a few weeks after the WannaCry ransomware worm outbreak sent waves of panic through the intertubes, we now have the case of a web hosting company in South Korea that was completely overrun with ransomware and nearly put out of business because of it. The company, Nayana, was hit on June 10 with a strain of ransomware called Erebus, which specializes in infecting web servers.

And that’s exactly what it did. The ransomware infected more than 150 Linux servers in Nayana’s infrastructure, taking down many of its customers’ sites in the process. The company was forced to negotiate with the attackers, who had originally demanded more than $4 million in ransom. After several days of back-and-forth discussions, Nayana officials were able to get the price down to a little more than $1 million. That’s some pretty solid negotiating, but the problem is that the company doesn’t have the money.

In order to pay the ransom, Nayana’s CEO said he was forced to take an investment from an outside company.

“In order to protect the interests of our customers, we have continuously negotiated with hackers. We decided to get the decryption key value by paying about 1.3 billion [won]. The hacker has decided to set up a stake as collateral through the company that proposed the acquisition,” the company said in a statement on its site (translated).

“We are in the process of paying for the current transfer limit increase, bit coin exchange, etc. We will notify you of the detailed restoration schedule for each server as soon as you receive the key.”

Nayana is paying the ransom in three installments, and has begun restoring some of the encrypted data. But there have been some hiccups with the decryption and restoration process, leaving the company’s customers in a difficult situation.

“Each infringing server-specific decryption process takes more time than we anticipated. After copying the data of the infringing server to the Windows server, we are recovering it to the decryption program,” a notice on the company’s site says.

“It is estimated that it will take about 2 ~ 5 days to recover from the decryption program, but some servers will take more than 10 days.”

The Nayana situation, while unique in some respects, also represents an object lesson for enterprises who might be targeted by ransomware, which is essentially all of them. Ransomware is coming for your data. It might not happen this week, this month, or this year, but it’s coming. And it would be highly advisable to have a plan in place that lays out exactly what your company will and will not do in the event of a ransomware attack. Will you pay the ransom? If so, how high are you willing to go? When it’s not your data, it’s easy to say that you won’t pay, but when your customers are pounding on the door and you’re watching money wash down the drain, the calculus can change very quickly. It also would be beneficial to have complete offsite backups that you can rely on and access quickly. That can make the decision of whether to pay the ransom much easier.

We’ve seen how difficult these infections can be for companies to deal with, especially when they affect the organization’s core business. Defending against ransomware is difficult, and user education can be a key part of it. Reminding users not to open unexpected attachments or click on links in suspect emails can help, but in the age of self-propagating ransomware worms such as WannaCry that use exploits, that isn’t going to be enough. We’re now in an era that requires enterprises to prepare for the certainty, not the possibility, of a ransomware infection, and the time to start is now.

Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.