Cyber Incident Victim: Nayana

In June 2017, South Korean web hosting provider Nayana suffered a ransomware attack affecting 153 Linux servers and 3,400 customer websites. The attackers deployed a Linux variant of the Erebus ransomware, encrypting critical data and initially demanding five billion won ($4.4 million) in Bitcoin. Nayana engaged in negotiations that reduced the ransom to 1.8 billion won before finalizing payment at 1.2 billion won (approximately $1 million). By June 17, 2017, the company publicly confirmed the payment and initiated recovery operations, though technical challenges prolonged the restoration process. A company representative stated engineers were working to normalize all servers but cautioned that full recovery would require significant time due to the complexity of decrypting and restoring affected systems. The incident disrupted services for thousands of clients hosted across Nayana's infrastructure.

Analysis by Trend Micro researchers indicated Nayana's systems ran outdated software vulnerable to known exploits. The web host operated Linux kernel 2.6.24.2—compiled in 2008—leaving it exposed to vulnerabilities like DIRTY COW, which could grant attackers root access. Apache version 1.3.36 and PHP 5.1.4, both dating to 2006, presented additional risks due to unpatched security flaws. The Apache instance ran under the "nobody" user account (uid=99), suggesting attackers may have leveraged local privilege escalation exploits. While the exact infection vector remained unconfirmed, evidence pointed to potential exploitation of these outdated components. The Erebus variant specifically targeted web server environments, marking a significant adaptation from its original Windows-focused payloads. Nayana's public communications did not disclose whether customer data was exfiltrated or solely encrypted during the attack.