The payments will be made in three batches, and the attackers will decrypt the affected servers. Two payments were already made. The ransomware used in this attack was Erebus, which was ported to Linux. Nayana servers are running on Linux kernel 126.96.36.199, which was compiled back in 2008. They also use Apache version 1.3.36 and PHP version 5.1.4, both released in 2006 and known to include vulnerabilities.
The ransomware targeted South Korea, Ukraine and Romania. Erebus uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique key. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file. The ransomware targets Office documents, databases, archives, and multimedia files, being able to encrypt a total of 433 file types. As they announced, Nayana engineers were in the process of recovering the data but they cautioned that the recovery is difficult and would take time. The ransomware behind may be a record payout. The Erebus variant that hit Nayana appears to have been designed to target Web servers.