A $1 million ransom payment has been transferred to cybercriminals who deployed Erebus ransomware to attack the South Korean web hosting company Nayana.

Erebus ransomware was first seen in September last year and was installed via websites hosting the Rig exploit kit. Traffic was sent to the malicious website hosting the Rig EK via malvertising campaigns. Vulnerable computers then had Erebus ransomware installed. This Erebus ransomware attack is unlikely to have happened the same way. Trend Micro suggests the attackers leveraged flaws on the company’s Linux servers, used a local exploit or both.

The infection spread to all 153 Linux servers that Nayana utilizes. Those servers hosted the websites of 3,400 companies. All of the firm’s customers seem to have been affected, with website files and databases encrypted.

Nayana was hacked on June 10, 2017. Following this hosting company responded quickly. Law enforcement agencies were contacted and it was initially hoped that it would be possible to decipher the ransomware and decrypt files without paying the ransom. It soon became obvious that was not an option.

Businesses can prevent avoid paying ransom payments following ransomware attacks by ensuring backups are completed of all data. Having a number of backups increases the likelihood of files being recoverable. In this case, Nayana had an internal and external backup; however, both of those backups were also encrypted in the hacking attack. Nayana therefore had no option but to negotiate with the hackers.

While ransom payments for companies are often in the $10,000 to $25,000 price bracket, the gang responsible this attack demanded an astonishing 550 Bitcoin for the keys to unlock the encryption – Approximately $1.62 million. On June 14, Nayana reported that it had settled for a ransom payment of 397.6 Bitcoin – Approximately $1.01 million, making this the largest known ransomware payment completed reported to date.

That payment is being made in three parts, with keys supplied to restore files on the servers in batches. When one batch of servers was successfully rescued, the second ransom payment was made. Nayana said that the recovery process would take around two weeks for each of the three batches of servers, leading to considerable downtime for the company’s business customers. Nayana experienced some issues restoring databases but says it is now transferring the final payment.

This incident shows how costly ransomware resolution can be and emphasises how important it is to ensure that operating systems and software are updated constantly. Patches should be conducted quickly to address flaws before they can be exploited by cybercriminals.

Simply having a backup is no guarantee that files can be rescued. If the backup device is linked to a networked machine when a ransomware attack takes place, backup files can also be encrypted. This is why it is essential for groups to ensure one backup is always offline. It is also advisable to partition networks to limit the damage caused by a ransomware attack. If ransomware is downloaded, only part of the network will be impacted.