Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Erebus Ransomware Attack Information

    • Updated:
    • 21 Sep 2017
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Security 10.0
    • Deep Security 10.1
    • Platform:
    • N/A N/A
Summary

On June 10 2017, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts.

Erebus was first seen on September 2016 via malvertisements and reemerged on February 2017 and used a method that bypasses Windows’ User Account Control. It is worth noting that this ransomware is limited in terms of coverage, and is heavily concentrated in South Korea. While this may indicate that this ransomware attack is targeted, several samples were also submitted from Ukraine and Romania. These submissions can also indicate they were from other security researchers.

Details
Public

Below is the identified behavior of the Erebus Ransomware:

Erebus Infection Chain

Erebus Infection Chain

C&C CallbackFile EncryptionEnsuring Persistence
Erebus will send out ACK packages to connect with C&C servers (IP: 216.126.224.*** ). It gathers the following information which it sends to its remote server:
  • Private Key
  • Public Key
  • Malware install path
  • Operating System
  • Operating System version and architecture
  • Timezone
  • Language
  • Network Adapter
  • IP Address
  • MAC Address
Be aware that all payloads are conducted separately, so blocking the
C&C connections cannot prevent you from file encrypting.
Erebus encrypts 433 file types including:
  • Office documents (.pptx, .docx, .xlsx)
  • databases (.sql, .mdb, .dbf, .odb)
  • archives (.zip, .rar)
  • Website-related and developer project files (.html, .css, .php, .java)
  • Email files (.eml, .msg)
  • multimedia files (.avi, .mp4)
However, Erubus seems to be coded mainly for targeting web servers and data stored in them.
Erebus searches the directories such as "var/www/", which is where the files/data of websites are stored; also the "ibdata" files, which are used in MySQL.
Erebus will create CRON task to automatically execute itself every hour under following path: /etc/cron.hourly/96anacron.
Also, it will create phony Bluetooth Service to automatically execute itself every-start-up if the service had not existed:
  • /etc/rc.d/init.d/bluetooth
  • /etc/rc.d/rc2.d/S25bluetooth
  • /etc/rc.d/rc3.d/S25bluetooth
  • /etc/rc.d/rc4.d/S25bluetooth
  • /etc/rc.d/rc5.d/S25bluetooth

Possible Arrival Vector

Last Update: 2017-June-20

  • Currently, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit.
  • NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008:
    For example, Dirty Cow, which can provide attackers root access to vulnerable Linux systems, is just one of the many possible threats it may have been exposed to.
  • NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006:

Trend Micro Solutions and Best Practice Configuration

The following are the Indicators-of-Compromise (IOCs):

  1. Files that are dropped as ransom notes:
    • {folder of encrypted files}\_DECRYPT_FILE.txt
    • {folder of encrypted files}\_DECRYPT_FILE.html
    • {folder of encrypted files}\index.html
  2. Renaming Rules:
    • {random filename}.ecrypt
  3. Creates CRON task to automatically execute itself every hour:
    • /etc/cron.hourly/96anacron
  4. Creates phony Bluetooth Service to automatically execute itself every-start-up:
    • /etc/rc.d/init.d/bluetooth
    • /etc/rc.d/rc2.d/S25bluetooth
    • /etc/rc.d/rc3.d/S25bluetooth
    • /etc/rc.d/rc4.d/S25bluetooth
    • /etc/rc.d/rc5.d/S25bluetooth
  5. Connects to the following website: 216.126.224.*

Trend Micro Product Configuration

ProductAction
Deep Discovery InspectorConfigure Rule 2434: EREBUS - Ransomware -HTTP Request
Deep Security
  • Configure Intrusion Prevention Rule 1008457: Ransomware Erebus
  • Configure Application Control (for supported platforms, click here)
TippingPointThreatDV filter 28725: HTTP: Erebus Ransomware Check-in

The impact of ransomware, such as Erebus, to an organization’s operations, and reputation. This highlights the importance of securing the servers, and systems that power an enterprise’s business processes. Additionally, the effect is multiplied if a ransomware also manages to infect not only endpoints but also servers/networks. Here are some best practices that IT/system administrators and information security professionals can adopt to strengthen the security posture of their servers and systems:

  • Keep the system and server updated.
    A strong patch management policy should be enforced to ensure that the system and server have the latest patches, fixes, and kernel, or deploying virtual patching.
  • Avoid or minimize adding third-party or unknown repositories or packages.
    This limits the vulnerabilities attackers can use as entry points into the server or system. The risks can be further lessened by removing or disabling unnecessary components or services in the server.
  • Apply the principle of least privilege.
    Linux’s privilege separation provides a way to restrict the modifications a program can make to the system. Restricting permissions/privileges also helps mitigate exposure and further damage as well as prevent unauthorized use. IT/system administrators can consider using extensions that implement mandatory policies that manage the extent of access a program can have to a system file or network resource.
  • Proactively monitor and validate your network traffic.
    Protecting the network against threats is a must for any enterprise. Deploying intrusion detection and prevention systems as well as firewalls helps identify, filter, and block traffic, which can indicate a malware infection. Event logs provide forensic information that can help IT/system administrators detect incursion attempts and actual attacks.
  • Back up your files.
    An effective countermeasure against ransomware’s fear-mongering tactic and impact is to keep backups of files stored in the system or server—with at least three copies in two different formats, with one stored offsite.
  • Apply network segmentation and data categorization.
    Network segmentation curbs the spread of infection, while data categorization mitigates the damage that may be incurred from an attack.
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118373
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.