A couple of months ago, I wrote about the dangers of using old versions of PHP. Web hosting companies that provide customers with out-of-date software are a liability, both to themselves and the web. My focus was on hacked web applications, but it can get much worse than that. In June, a story broke that shows exactly why web hosting customers should make sure their hosting company provides an up-to-date software stack.
Korean web hosting company Nayana has agreed to pay attackers $1 million to retrieve the data of 34,000 web hosting clients on 153 Linux servers that were attacked by ransomware. Although it’s not yet clear how the attackers compromised the servers, it appears likely that ancient versions of the Linux kernel, the Apache web server, and other software may be to blame.
Ransomware has been a serious problem for several years. Ransomware compromises vulnerable servers, encrypts the data they store, and demands a ransom for the decryption keys. For well-implemented ransomware that attacks data without adequate backups, there is no real solution other than to pay.
In the past, ransomware mainly targeted Windows machines, often PCs owned by non-technical users who accidentally install the malicious application. But criminals are well aware of the value represented by web hosting and enterprise servers, which often run Linux, an operating system ransomware hasn’t had much success with until now. The Erebus ransomware implicated in the Nayana attack was originally a Windows-only tool, but it appears to have become quite effective against Linux servers.
Or, as is the case here, woefully outdated Linux servers. Last time I discussed the issue of out-of-date web hosting software, I was thinking of software a couple of months or even a year out of date. Nayana has managed to surprise even me. Its web hosting servers were running Linux Kernel 184.108.40.206, which dates from 2008. Sites hosted on Nayana’s servers used Apache 1.3.36 and PHP 5.1.4, both of which were released in 2006. Using eleven-year-old software on the web is like handing the keys to attackers.
Nayana agreed to pay the attackers after negotiating to reduce the ransom from the original demand of more than $4.4 million, but the payout is still a huge coup for the criminals. We can expect to see the number of attacks against web hosting companies and their clients increase, as criminals attempts to replicate and exceed their success with Nayana.
There are two lessons web hosting clients should learn from this attack. Firstly, make sure your web hosting provider uses up-to-date versions of software on its servers, or choose a managed server host who will take care of ensuring that your software is kept up to date. If you manage your own servers, update them!
Secondly, server backups are an effective second line of defense if servers are compromised. Ransomware is only a risk if it can deprive victims of data. If they have secure, recent backups that the attackers can’t reach, victims just have to wipe their servers and restore from the backup.
Ransomware is a serious problem, but keeping backups and maintaining an up-to-date software stack is enough to defend against all but the most determined ransomware attacks.