A $1 million ransom payment has been made to cybercriminals who used Erebus ransomware to attack the South Korean web hosting firm Nayana.

Erebus ransomware was first detected in September last year and was downloaded via websites hosting the Rig exploit kit. Traffic was directed to the malicious website hosting the Rig EK via malvertising campaigns. Vulnerable computers then had Erebus ransomware downloaded. This Erebus ransomware attack is unlikely to have occurred the same way. Trend Micro suggests the attackers leveraged vulnerabilities on the comapny’s Linux servers, used a local exploit or both.

The infection spread to all 153 Linux servers used by Nayana. Those servers hosted the websites of 3,400 businesses. All of the firm’s customers appear to have been affected, with website files and databases encrypted.

Nayana was attacked on June 10, 2017 in the early hours. The hosting company responded rapidly. Law enforcement was contacted and it was initially hoped that it would be possible to crack the ransomware and decrypt files without paying the ransom. It soon became clear that was not an option.

Companies can avoid paying ransom payments following ransomware attacks by ensuring backups are made of all data. Having multiple backups increases the likelihood of files being recoverable. In this case, Nayana had an internal and external backup; however, both of those backups were also encrypted in the attack. Nayana therefore had no alternative but to negotiate with the attackers.

While ransom payments for businesses are often in the $10,000 to $25,000 price bracket, the gang behind this attack demanded an astonishing 550 Bitcoin for the keys to unlock the encryption – Approximately $1.62 million. On June 14, Nayana reported that it had negotiated a ransom payment of 397.6 Bitcoin – Approximately $1.01 million, making this the largest ransomware ransom payment reported to date.

That payment is being made in three instalments, with keys supplied to restore files on the servers in batches. When one batch of servers was successfully recovered, the second ransom payment was made. Nayana said that the recovery process would take approximately 2 weeks for each of the three batches of servers, resulting in considerable downtime for the company’s business customers. Nayana experienced some problems restoring databases but says it is now paying the final payment.

This incident shows how costly ransomware resolution can be and highlights how important it is to ensure that operating systems and software are updated regularly. Patches should be applied promptly to address vulnerabilities before they can be exploited by cybercriminals.

Simply having a backup is no guarantee that files can be recovered. If the backup device is connected to a networked machine when a ransomware attack occurs, backup files can also be encrypted. This is why it is essential for organizations to ensure one backup is always offline. It is also wise to segment networks to limit the damage caused by a ransomware attack. If ransomware is installed, only part of the network will be affected.