South Korean web host pays largest ransomware demand ever

WannaCry only demanded $300 from each victim. These hackers extorted $1 million from one South Korean company.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Ransomware demands have tripled over the last year. Now a South Korean company is paying out $1 million to free its servers.

Damien Meyer / AFP/Getty Images

Hackers appear to have pulled off a $1 million heist with ransomware in South Korea.

The ransomware attacked more than 153 Linux servers that South Korean web provider Nayana hosted, locking up more than 3,400 websites on June 10. In Nayana's first announcement a few days later, it said the hackers demanded 550 bitcoins to free up all the servers -- about $1.62 million.

Four days later, Nayana said it'd negotiated with the attackers and got the payment reduced to 397 bitcoins, or about $1 million. This is the single largest-known payout for a ransomware attack, and it was an attack on one company. For comparison, the WannaCry ransomware attacked 200,000 computers across 150 countries, and has only pooled $127,142 in bitcoins since it surfaced.

Ransomware demands have risen rapidly over the past year, tripling in price from 2015 to 2016. But even then, the highest cost of a single ransomware attack was $28,730

Nayana agreed to pay the ransomware in three installments, and said Saturday it's already paid two-thirds of the $1 million demand.

"It is very frustrating and difficult, but I am really doing my best and I will do my best to make sure all servers are normalized," a Nayana administrator said, according to a Google translation of the blog post.

The company is expected to make the final payment once all the servers from the first and second payouts have been restored.

Trend Micro, a cybersecurity research firm, identified the ransomware as Erebus, which targets Linux servers for attacks. It first surfaced in September through web ads, and popped up again in February.

"It's worth noting that this ransomware is limited in terms of coverage, and is, in fact, heavily concentrated in South Korea," Trend Micro researchers said Monday in a blog post.

Paying ransomware is at the victim's discretion, but nearly all organizations, including government agencies and security researchers, advise against it.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.