Home / Archive / South Korean Firm Pays $1 Million in Bitcoin Ransom to Regain Data

South Korean Firm Pays $1 Million in Bitcoin Ransom to Regain Data

Last Updated March 4, 2021 4:57 PM
Samburaj Das
Last Updated March 4, 2021 4:57 PM

A South Korean web hosting company is paying over USD $1 million in bitcoin to extortionists to put an end to a ransomware crisis affecting nearly 3,500 customers.

In what is seen as the biggest publicly-known payout to date, South Korean web hosting firm Nayana is paying out a total of 397.6 BTC (approx. $1.05 million at press time) to the attacker in order to recover the data of websites belonging to over 3,400 customers, most of whom are small business customers.

The ransomware, titled Erebus, infected a total of 153 Linux servers along with customers’ websites. According to Trend Micro , the ransomware strain is capable of infecting up to 433 file types including office documents, databases, archives and multimedia files. Closer analysis by researchers revealed the ransomware to be specifically coded toward targeting and encrypting web servers and their data.

In a notice  posted on June 12, Nayana revealed details of the original ransom note which demanded an unprecedented 550 bitcoins ($1.6 million at the time).

“My boss tell me, your buy many machine, give you good price, 550 BTC. If you do not have enough money, you need make a loan,” wrote the extortionist in his original communication.

The demand and the ensuing threat read:

“You company have 40+ employees,
every employees’s annual salary $30,000
all employees 30,000*40 = $1,200,000
all server 550BTC = $1,620,000

If you can’t pay that, you should go bankrupt.
But you need to face your childs, wife, customers and employees.
Also your will lost your reputation, business.
You will get many more lawsuits.”

On June 14, Nayana posted an update , revealing CEO Hwang Chil-hong’s negotiations with the hackers. The executive revealed he was facing financial ruin and negotiated the ransom sum down to 397.6 BTC, to be paid in three installments. So far, two payments have been paid already.

Trend Micro researchers point to Nayana’s use of outdated systems – a 2008 Linux kernel, Apache and PHP versions from 2006 as factors behind the ransomware exploit.

“It’s worth noting that this ransomware is limited in terms of coverage, and is, in fact, heavily concentrated in South Korea,” researchers wrote.

Nayana’s most recent update  from June 20 (Tuesday) reveals that a currently-running decryption program will take about 2-5 days to recover customer files, while some servers are expected to take over 10 days. The third payment is expected to be made today, Wednesday, upon receiving an additional decryption key.

Featured image from Shutterstock.