{
	"id": "9b32b9b2-10f7-4039-8b8f-43f59c248407",
	"created_at": "2026-04-06T00:16:28.668928Z",
	"updated_at": "2026-04-10T03:24:18.178873Z",
	"deleted_at": null,
	"sha1_hash": "adc6c259bb0270e22e83f63cea05797cf0b5a8cc",
	"title": "Erebus Linux Ransomware: Impact to Servers and Countermeasures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89451,
	"plain_text": "Erebus Linux Ransomware: Impact to Servers and\r\nCountermeasures\r\nArchived: 2026-04-05 16:55:31 UTC\r\nOn June 10, South Korea-based web hosting company NAYANA became one of the latest high-profile victims of\r\nransomware after 153 of its Linux servers were found infected with an Erebus ransomware (detected by Trend\r\nMicro as RANSOM_ELFEREBUS.A) variant. The ransomware attack affected the websites, database and\r\nmultimedia files of around 3,400 businesses employing NAYANA’s service.\r\nIn the latest notice posted on the company’s website, it appears cybercriminals successfully forced NAYANA into\r\npaying the ransom—they paid the first of three payments they plan to make for all the keys needed to decrypt the\r\ninfected files. However, NAYANA has yet to receive the first decryption key.\r\n[Related: Learn more about SAMSAM, one of the first ransomware to infect servers]\r\nErebus evolved from using exploit kits to bypassing User Account Control\r\nErebus ransomware (RANSOM_EREBUS.A) first emerged last September 2016news- cybercrime-and-digital-threats being distributed by malvertisements (malicious advertisements). The malicious ads diverted victims to the\r\nRig exploit kit, which infects the victim's systems with the ransomware. This Erebus variant targets 423 file types,\r\nscrambles files with RSA-2048 encryption algorithm, and appends the affected files with the .ecrypt extension.\r\nThis version of Erebus was observed using compromised websites in South Korea as its command and control\r\n(C\u0026C) servers.\r\nBy February 2017, Erebus was found to have evolved and changed tacticsnews- cybercrime-and-digital-threats,\r\nusing a technique that bypassesnews article User Account Control (UAC)—a Windows feature that helps prevent\r\nunauthorized changes in the system—in order to execute the ransomware with elevated privileges. In its ransom\r\nnote, Erebus threatens to delete the victim’s files within 96 hours unless the ransom is paid, which is 0.085 Bitcoin\r\n(US$216 as of June 15, 2017). This version (RANSOM_EREBUS.TOR) also deletes shadow copies to prevent\r\nvictims from recovering their files.\r\n[Read:  A technical overview of the fileless, code-injecting SOREBRECT ransomware that can encrypt\r\nnetwork shares]\r\nErebus Ransomware can now infect servers\r\nThe variant that infected NAYANA’s servers is Erebus ransomware ported to Linux servers. Trend Micro’s\r\nongoing analysis indicates that this version uses RSA algorithm to encrypt AES keys; infected files are encrypted\r\nwith unique AES keys. Its persistence mechanisms include adding a fake Bluetooth service to ensure that the\r\nransomware is executed even after the system or server is rebooted. It also employs the UNIX cron—a utility in\r\nUnix-like operating systems like Linux that schedules jobs via commands or shell scripts—to check hourly if the\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures\r\nPage 1 of 4\n\nransomware is running. Similar to NAYANA’s case, it originally demanded 10 Bitcoins ($24,689), but the ransom\r\nhas since gone down to 5 BTC ($12,344).\r\nThis iteration of Erebus targets 433 file types, some of which include:\r\nOffice documents (.pptx, .docx, .xlsx)\r\nDatabases (.sql, .mdb, .dbf, .odb)\r\nArchives (.zip, .rar)\r\nEmail files (.eml, .msg)\r\nWebsite-related and developer project files (.html, .css, .php, .java)\r\nMultimedia files (.avi, .mp4)\r\n[READ: How UNIX-like systems like Linux affected the ransomware landscape]\r\nErebus isn’t the first file-encrypting malware to target Linux systems, or even servers. Linux.Encodernews-cybercrime-and-digital-threats, Encryptor RaaS, a version of KillDisknews- cybercrime-and-digital-threats,\r\nRexnews- cybercrime-and-digital-threats, Fairware, and KimcilWarenews- cybercrime-and-digital-threats are all\r\ncapable of targeting machines running Linux. In fact, Linux ransomware emerged as early as 2014, and were\r\noffshootsnews article of open-source projects supposedly designed for educational purposes. SAMSAM, Petya,\r\nand Crysis ransomware are just some of the families known to target and breach servers.\r\nWhile Linux ransomware isn’t as established or mature as its Windows counterparts, they can still present\r\nsignificant adverse impact to users and especially enterprises. As exemplified by NAYANA, Linux is an\r\nincreasingly popular operating system and a ubiquitous element in the business processes of organizations across\r\nvarious industries—from servers and databases to web development and mobile devices. Data centers and\r\nhosting/storage service providers also commonly use machines running Linux, for instance.\r\n[READ: Multilayered solutions to server-side ransomware]\r\nBest practices for securing Linux servers and systems\r\nThe impact of ransomware such as Erebus to an organization’s operations, reputation, and bottom line highlights\r\nthe importance of securing the servers and systems that power an enterprise’s business processes. Additionally, the\r\neffect is multiplied if a ransomware also manages to infect not only endpoints but also servers/networks. Here are\r\nsome best practices that IT/system administrators and information security professionals can adopt to strengthen\r\nthe security posture of their servers and systems:\r\nKeep the system and server updated. A strong patch management policy should be enforced to ensure that\r\nthe system and server have the latest patches, fixes, and kernel. \r\nAvoid or minimize adding third-party or unknown repositories or packages. This limits the vulnerabilities\r\nattackers can use as entry points into the server or system. The risks can be further lessened by removing or\r\ndisabling unnecessary components or services in the server.\r\nApply the principle of least privilege. Linux’s privilege separation provides a way to restrict the\r\nmodifications a program can make to the system. Restricting permissions/privileges also helps mitigate\r\nexposure and further damage as well as prevent unauthorized use. IT/system administrators can consider\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures\r\nPage 2 of 4\n\nusing extensions that implement mandatory policies that manage the extent of access a program can have\r\nto a system file or network resource.\r\nProactively monitor and validate your network traffic. Protecting the network against threats is a must for\r\nany enterprise. Deploying intrusion detection and prevention systems as well as firewalls helps identify,\r\nfilter, and block traffic, which can indicate a malware infection. Event logs provide forensic information\r\nthat can help IT/system administrators detect incursion attempts and actual attacks.\r\nBack up your files. An effective countermeasure against ransomware’s fear-mongering tactic and impact is\r\nto keep backups of files stored in the system or server—with at least three copies in two different formats,\r\nwith one stored offsite.\r\nApply network segmentation and data categorization. Network segmentationnews article curbs the spread\r\nof infection, while data categorization mitigates the damage that may be incurred from an attack.\r\n \r\nAn update on the incident and a technical overview of the ransomware can be found in this article.\r\n \r\nTrend Micro Solutions\r\nTrend Micro™ Deep Security™ stops ransomware from compromising enterprise servers and workloads–\r\nregardless if they’re physical, virtual, in the cloud, or in containers.  Deep Security™ defends against network\r\nthreats with intrusion prevention (IPS) and host firewall, shielding vulnerable servers from attack with a virtual\r\npatch until a software patch can be applied. Deep Security™ keeps malware, including ransomware, off of servers\r\nwith sophisticated anti-malware and behavioral analysis, ensuring that malicious actions are stopped immediately.\r\nDeep Security™ also has system security, including application control to lock down servers, and integrity\r\nmonitoring that can detect potential indicators of compromise (IOCs), including ransomware.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures\r\nPage 3 of 4\n\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures"
	],
	"report_names": [
		"erebus-linux-ransomware-impact-to-servers-and-countermeasures"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434588,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/adc6c259bb0270e22e83f63cea05797cf0b5a8cc.pdf",
		"text": "https://archive.orkl.eu/adc6c259bb0270e22e83f63cea05797cf0b5a8cc.txt",
		"img": "https://archive.orkl.eu/adc6c259bb0270e22e83f63cea05797cf0b5a8cc.jpg"
	}
}