While each encrypted file has its RC4 and AES keys, the RSA-2048 public key is shared. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.
The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys.
Erebus takes this up a notch each file encrypted by Erebus will have this format: Some ransomware families are known to scramble files in layers of encryption algorithms, such as UIWIX, later versions of Cerber, and DMA Locker. These submissions can also indicate they were from other security researchers. While this may indicate that this ransomware attack is targeted, VirusTotal showed otherwise-several samples were also submitted from Ukraine and Romania. It’s worth noting that this ransomware is limited in terms of coverage, and is, in fact, heavily concentrated in South Korea. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.įigure 3: VirusTotal submissions of the Erebus Linux ransomware Apache vulnerabilities and PHP exploits are well-known in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.Īdditionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.
For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008.
EREBUS PORTAL HOW TO
Here are some of the notable technical details we’ve uncovered so far about Erebus’ Linux version:įigure 1: Erebus has a multilingual ransom note (English shown above)įigure 2: Screenshot of a demo video from the attackers showing how to decrypt the encrypted filesĪs for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit.
EREBUS PORTAL FULL
While not comparable in terms of the ransom amount, this is reminiscent of what happened to Kansas Hospital, which didn’t get full access to the encrypted files after paying the ransom, but was instead extorted a second time.Įrebus was first seen on September 2016 via malvertisements and reemerged on February 2017 and used a method that bypasses Windows’ User Account Control. A third payment installment is also expected to be paid after the first and second batches of servers have been successfully recovered. Some of the servers in the second batch are currently experiencing database (DB) errors. On June 18, NAYANA started the process of recovering the servers in batches. In a statement posted on NAYANA’s website on June 17, the second of three payments was already made.
EREBUS PORTAL UPDATE
In an update on June 14, NAYANA negotiated a payment of 397.6 BTC (around $1.01 million as of June 19, 2017) to be paid in installments. In a notice posted on NAYANA’s website last June 12, the company shared that the attackers demanded an unprecedented ransom of 550 Bitcoins (BTC), or US$1.62 million, in order to decrypt the affected files from all its servers. On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts. Updated on June 20, 2017, 12:10 AM PDT to add solution for Deep Security™.
0 kommentar(er)
