{
	"id": "c91db0c3-c5c4-4ef4-bad0-e2b9991050c8",
	"created_at": "2026-04-06T00:06:38.326523Z",
	"updated_at": "2026-04-10T03:21:42.918563Z",
	"deleted_at": null,
	"sha1_hash": "01ee67cd8338daa764282dfead5c8b38fd12ac9d",
	"title": "Erebus Resurfaces as Linux Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83482,
	"plain_text": "Erebus Resurfaces as Linux Ransomware\r\nPublished: 2017-06-19 · Archived: 2026-04-05 13:13:34 UTC\r\nUpdated on June 20, 2017, 12:10 AM PDT to add solution for Deep Securityproducts™.\r\nOn June 10, South Korean web hosting company NAYANA was hit by Erebus ransomwarenews article (detected\r\nby Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the\r\ncompany hosts.\r\nIn a noticeopen on a new tab posted on NAYANA’s website last June 12, the company shared that the attackers\r\ndemanded an unprecedented ransom of 550 Bitcoins (BTC), or US$1.62 million, in order to decrypt the affected\r\nfiles from all its servers. In an update on June 14, NAYANA negotiated a payment of 397.6 BTC (around $1.01\r\nmillion as of June 19, 2017) to be paid in installments. In a statement posted on NAYANA’s website on June 17,\r\nthe second of three payments was already made. On June 18, NAYANA started the process of recovering the\r\nservers in batches. Some of the servers in the second batch are currently experiencing database (DB) errors. A\r\nthird payment installment is also expected to be paid after the first and second batches of servers have been\r\nsuccessfully recovered.\r\nWhile not comparable in terms of the ransom amount, this is reminiscent of what happened to Kansas\r\nHospitalnews- cybercrime-and-digital-threats, which didn’t get full access to the encrypted files after paying the\r\nransom, but was instead extorted a second time.\r\nErebus was first seen on September 2016 via malvertisementsnews- cybercrime-and-digital-threats and reemerged\r\non February 2017 and used a method that bypasses Windows’ User Account Controlnews- cybercrime-and-digital-threats. Here are some of the notable technical details we’ve uncovered so far about Erebus’ Linux version:\r\nintel\r\nFigure 1: Erebus has a multilingual ransom note (English shown above)\r\nintelFigure 2: Screenshot of a demo video from the attackers showing how to decrypt the encrypted files\r\nPossible Arrival Vector\r\nAs for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged\r\nvulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA’s website runs\r\non Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like DIRTY COWopen on a new tab\r\nthat can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been\r\nexposed to.\r\nAdditionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released\r\nback in 2006. Apache vulnerabilitiesopen on a new tab and PHP exploitsopen on a new tab are well-known; in\r\nfact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Strutsopen on a new\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nPage 1 of 5\n\ntab. The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit\r\nmay have also been used in the attack.\r\nintelFigure 3: VirusTotal submissions of the Erebus Linux ransomware\r\nIt’s worth noting that this ransomware is limited in terms of coverage, and is, in fact, heavily concentrated in\r\nSouth Korea. While this may indicate that this ransomware attack is targeted, VirusTotal showed otherwise—\r\nseveral samples were also submitted from Ukraine and Romania. These submissions can also indicate they were\r\nfrom other security researchers.\r\nEncryption Routine\r\nSome ransomware families are known to scramble files in layers of encryption algorithms, such as UIWIXopen on\r\na new tab, later versions of Cerberopen on a new tab, and DMA Lockernews- cybercrime-and-digital-threats.\r\nErebus takes this up a notch; each file encrypted by Erebus will have this format:\r\nHeader (0x438 bytes)\r\nRSA-2048-encrypted original filename\r\nRSA-2048-encrypted AES key\r\nRSA-2048-encrypted RC4 key\r\nRC4-encrypted data\r\nThe file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys. The RC4 key is\r\nthen encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using\r\nRSA-2048 algorithm that is also stored in the file.\r\nWhile each encrypted file has its RC4 and AES keys, the RSA-2048 public key is shared. These RSA-2048 keys\r\nare generated locally, but the private key is encrypted using AES encryption and another randomly generated key.\r\nOngoing analysis indicates that decryption is not possible without getting hold of the RSA keys.\r\nTargeted File Types\r\nOffice documents, databases, archives, and multimedia files are the usual file types targeted by ransomware. It’s\r\nthe same for this version of Erebus, which encrypts 433 file types. However, the ransomware appears to be coded\r\nmainly for targeting and encrypting web servers and data stored in them.\r\nHere is a table that shows the directories and system tablespaces that Erebus searches. Note that var/www/ is\r\nwhere the files/data of websites are stored, while the ibdata files are used in MySQL:\r\nIncluded directories: Excluded directories:\r\nvar/www/ $/bin/\r\nIncluded files: $/boot/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nPage 2 of 5\n\nibdata0 $/dev/\r\nibdata1 $/etc/\r\nibdata2 $/lib/\r\nibdata3 $/lib64/\r\nibdata4 $/proc/\r\nibdata5 $/run/\r\nibdata6 $/sbin/\r\nibdata7 $/srv/\r\nibdata8 $/sys/\r\nibdata9 $/tmp/\r\nib_logfile0 $/usr/\r\nib_logfile1 $/var/\r\nib_logfile2 /.gem/\r\nib_logfile3 /.bundle/\r\nib_logfile4 /.nvm/\r\nib_logfile5 /.npm/\r\nFigure 4: System tablespaces Erebus searches\r\nAdopt Best Practices\r\nDespite their market share, Unix and Unix-like operating systems such as Linuxopen on a new tab are poised to be\r\nlucrative for bad guys as ransomware continues to diversify and mature in the threat landscapepredictions. Why?\r\nThey are a ubiquitous part of the infrastructures that power many enterprises, used by workstations and servers,\r\nweb and application development frameworks, databases, and mobile devices, among others.\r\nAnd as we’ve seen in other families like WannaCry, SAMSAM, Petya, or HDDCryptor, the capability to affect\r\nservers and network shares amplifies the impact. A single, vulnerable machine on a network is sometimes all it\r\ntakes to infect connected systems and servers.\r\nGiven the risks to business operations, reputation, and bottom line, enterprises need to be proactive in keeping\r\nthreats like ransomware at bay. There is no silver bullet to ransomware like Erebus, which is why IT/system\r\nadministrators should have a defense-in-depth approach to security. Best practices for mitigating ransomware\r\ninclude:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nPage 3 of 5\n\nBacking up critical files\r\nDisabling or minimizing third-party or unverified repositories\r\nApplying the principle of least privilege\r\nEnsuring servers and endpoints are updated (or deploying virtual patchingnews article)\r\nRegularly monitoring the network\r\nInspecting event logs to check for signs of intrusions or infection\r\nSome of the security mechanisms that can be considered are:\r\nIP filtering as well as intrusion prevention and detection systems\r\nSecurity extensions in Linux that manage and limit access to files or system/network resources\r\nNetwork segmentationnews article and data categorization to curtail and mitigate infection and further\r\ndamage to data\r\nEnabling privilege separation in Linux\r\nWe will update this post as more information from our analysis of this Linux ransomware become available.\r\nTrend Micro Solutions\r\nTrend Micro™ Deep Securityproducts™ stops ransomware from compromising enterprise servers and\r\nworkloads–regardless if they’re physical, virtual, in the cloud, or in containers.  Deep Security™ defends against\r\nnetwork threats with intrusion prevention (IPS) and host firewall, shielding vulnerable servers from attack with a\r\nvirtual patch until a software patch can be applied. Deep Security™ keeps malware, including ransomware, off of\r\nservers with sophisticated anti-malware and behavioral analysis, ensuring that malicious actions are stopped\r\nimmediately. Deep Security™ also has system security, including application control to lock down servers, and\r\nintegrity monitoring that can detect potential indicators of compromise (IOCs), including ransomware.\r\nTrend Micro Deep Discovery Inspectorproducts™ protects customers from this threat via this DDI rule:\r\nDDI Rule ID 2434 – EREBUS - Ransomware - HTTP (Request)\r\nTippingPointproducts customers are protected from this threat via this ThreatDV filter:\r\nThreatDV: 28725: HTTP: Erebus Ransomware Check-in\r\nTrend Micro Deep Security™ protects customers from this threat via this DPI rule:\r\n1008457 - Ransomware Erebus\r\nIndicators of Compromise\r\nSHA256 detected as RANSOM_ELFEREBUS.A:\r\n0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f\r\nd889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nPage 4 of 5\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/"
	],
	"report_names": [
		"erebus-resurfaces-as-linux-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433998,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01ee67cd8338daa764282dfead5c8b38fd12ac9d.pdf",
		"text": "https://archive.orkl.eu/01ee67cd8338daa764282dfead5c8b38fd12ac9d.txt",
		"img": "https://archive.orkl.eu/01ee67cd8338daa764282dfead5c8b38fd12ac9d.jpg"
	}
}