AhnLab Security Center


Ransomware Attack Affecting 3,400 Businesses in South Korea


On June 10(GMT+9)​, a new ransomware named Erebus successfully attacked a well-known local web hosting company, compromising over 150 of its Linux web servers and backup servers. The ransomware encrypted valuable customer files within the servers, leading to collateral damage to more than 3,400 websites that were being hosted by the company. The initial ransom demand was for 4 million dollars, but as of June 15, the company negotiated to pay a million dollars.


This article presents how Erebus ransomware operation to resolutions.


Two ransomware files, both an ELP format which executes in consecutively in 32-bit and 64-bit on Linux systems, were discovered as of June 12; the following text strings and encrypting text strings, shown in Figure 1 and Figure 2, were found inside these malicious files. 



[Figure 1] Erebus ransomware file information



[Figure 2] Encryption-related text strings


Once executed, the ransomware encrypts important data and creates a file containing the ransom note. The encrypted filename is changed to [a combination of alphanumeric letters].ecrypt and the ransom note Figure 3, is displayed to notify the user. 



[Figure 3] Screenshot of Erebus ransomware


The ransomware behind the attack is a variant of Erebus, which targets files in the Linux system with extensions of .tar and .gz and documents, or images with extensions of .jpg, .docx and .xlsx. The table below displays the list of file extensions targeted by Erebus. 



[Table 1] The list of file extensions targeted by Erebus


Erebus encrypts files regardless of whether or not the infected system has a network connection. It connects to the Tor network using the hidden .onion domain which runs as Command and Control (C&C).


The relevant alias identified by AhnLab’s security solutions are as below:

<Alias identified by AhnLab>



With the continuous rise in ransomware and its variants, the damages caused are increasing exponentially. The best practice to prevent infection is to follow the basic security etiquette before looking for advanced security solutions. 


In particular for businesses, it is crucial that propagation of damage from the first point of attack is impeded. AhnLab MDS (Malware Defense System) provides an integrated response to both the network and endpoint against elusive threats, including ransomware. 


In order to protect the system, AhnLab MDS provides an Execution Holding (EH) feature via its agent which holds off the execution of files.

This feature holds and blocks a suspicious file as it attempts to infect a system while AhnLab MDS conducts dynamic analysis to determine the threat severity of the file. This analysis is completed within seconds and a threat notification feed is sent to the MDS agent. The suspicious file, now confirmed as malware, is then deleted or moved to quarantine depending on the severity of the analysis. The real-time defense mechanism and the advanced technology of AhnLab MDS blocks threats at the first point of attack to provide complete protection from the growing sophisticated malware.