On June 10, South Korea-based web hosting company NAYANA became one of the latest high-profile victims of ransomware after 153 of its Linux servers were found infected with an Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A) variant. The ransomware attack affected the websites, database and multimedia files of around 3,400 businesses employing NAYANA’s service.
In the latest notice posted on the company’s website, it appears cybercriminals successfully forced NAYANA into paying the ransom—they paid the first of three payments they plan to make for all the keys needed to decrypt the infected files. However, NAYANA has yet to receive the first decryption key.
Erebus ransomware (RANSOM_EREBUS.A) first emerged last September 2016 being distributed by malvertisements (malicious advertisements). The malicious ads diverted victims to the Rig exploit kit, which infects the victim's systems with the ransomware. This Erebus variant targets 423 file types, scrambles files with RSA-2048 encryption algorithm, and appends the affected files with the .ecrypt extension. This version of Erebus was observed using compromised websites in South Korea as its command and control (C&C) servers.
By February 2017, Erebus was found to have evolved and changed tactics, using a technique that bypasses User Account Control (UAC)—a Windows feature that helps prevent unauthorized changes in the system—in order to execute the ransomware with elevated privileges. In its ransom note, Erebus threatens to delete the victim’s files within 96 hours unless the ransom is paid, which is 0.085 Bitcoin (US$216 as of June 15, 2017). This version (RANSOM_EREBUS.TOR) also deletes shadow copies to prevent victims from recovering their files.
The variant that infected NAYANA’s servers is Erebus ransomware ported to Linux servers. Trend Micro’s ongoing analysis indicates that this version uses RSA algorithm to encrypt AES keys; infected files are encrypted with unique AES keys. Its persistence mechanisms include adding a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted. It also employs the UNIX cron—a utility in Unix-like operating systems like Linux that schedules jobs via commands or shell scripts—to check hourly if the ransomware is running. Similar to NAYANA’s case, it originally demanded 10 Bitcoins ($24,689), but the ransom has since gone down to 5 BTC ($12,344).
This iteration of Erebus targets 433 file types, some of which include:
Erebus isn’t the first file-encrypting malware to target Linux systems, or even servers. Linux.Encoder, Encryptor RaaS, a version of KillDisk, Rex, Fairware, and KimcilWare are all capable of targeting machines running Linux. In fact, Linux ransomware emerged as early as 2014, and were offshoots of open-source projects supposedly designed for educational purposes. SAMSAM, Petya, and Crysis ransomware are just some of the families known to target and breach servers.
While Linux ransomware isn’t as established or mature as its Windows counterparts, they can still present significant adverse impact to users and especially enterprises. As exemplified by NAYANA, Linux is an increasingly popular operating system and a ubiquitous element in the business processes of organizations across various industries—from servers and databases to web development and mobile devices. Data centers and hosting/storage service providers also commonly use machines running Linux, for instance.
The impact of ransomware such as Erebus to an organization’s operations, reputation, and bottom line highlights the importance of securing the servers and systems that power an enterprise’s business processes. Additionally, the effect is multiplied if a ransomware also manages to infect not only endpoints but also servers/networks. Here are some best practices that IT/system administrators and information security professionals can adopt to strengthen the security posture of their servers and systems:
Trend Micro Solutions
Trend Micro™ Deep Security™ stops ransomware from compromising enterprise servers and workloads–regardless if they’re physical, virtual, in the cloud, or in containers. Deep Security™ defends against network threats with intrusion prevention (IPS) and host firewall, shielding vulnerable servers from attack with a virtual patch until a software patch can be applied. Deep Security™ keeps malware, including ransomware, off of servers with sophisticated anti-malware and behavioral analysis, ensuring that malicious actions are stopped immediately. Deep Security™ also has system security, including application control to lock down servers, and integrity monitoring that can detect potential indicators of compromise (IOCs), including ransomware.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.