Record $1.5m ransomware payoff stirs controversy in South Korea

A staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul.
A staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul. PHOTO: AFP

SEOUL (The Korea Herald/Asia News Network) - A Korean web hosting firm's recent decision to pay a huge ransom to a group of cybercriminals sets a bad precedent, possibly opening the door for more criminals to target Korea for easy money, security experts said.

Last Wednesday (June 14), local web hosting firm Nayana said it had decided to pay money to a hacker group that has paralysed its 150 servers - which also affected its 3,400 client websites - since June 10.

"We completed the negotiations with the hacker and we are now preparing the money to buy bitcoins and restore the encoded servers," the web hosting company's CEO Hwang Chil-hong said on the firm's website.

Nayana planned to pay around US$1.1 million (S$1.5 million) in bitcoins to the hackers in return for the restoration of its servers damaged by ransomware, a malicious code that penetrates computers and encrypts files.

The ransomware - known as Erebus - targeted computers running Microsoft Windows and was also modified so a variant would work against Linux-based systems, BBC reported.

Ms Angela Sasse, director of the Institute in the Science of Cyber-Security, told the BBC that she was surprised by the size of the ransom.

"This is a record ransom from what I know, although some will have paid and not gone public," she said.

The local firm said paying the money was necessary to save its 3,400 client websites, which are mostly small companies and startups.

"We know it is illegal (to pay the money) but we had no other choice. Otherwise, hundreds of thousands of people (from the client firms) will face damage," the CEO of Nayana said in an interview with a local media outlet.

However, security experts said paying off such criminals would create a vicious circle, as it could result in more hackers targeting Korea for easy money.

"It is sad to see the damage faced by the hosting firm. But, from another perspective, the decision also left a bad precedent for other local hosting firms vulnerable to security (breaches)," said Shin Dae-kyu, head of the Korea Internet & Security Agency's internet incidents response division.

The firm's US$1.1 million ransom is more than 1,000 times higher than the average of US$1,077 that victims paid to cyber criminals last year.

Experts also said there was still no guarantee that they would restore the data even after receiving the money.

"The negotiation was the worst because even if criminals do not restore the data, there is nothing the hosting company can do," said professor Lim Jong-in of Korea University's department of cyber defence.

"The government should not view the incident as an individual company's issue but should make all efforts to find the criminals and to prevent further attacks."

The state-run KISA said it would begin research on restoring encoded data in order to reduce further ransomware damages. The agency also plans to join the No More Ransom Project led by the European Cybercrime Center.

"We will push for technology research and information sharing with related industries to dispel public fears over ransomware," said KISA head Baik Kee-seung.