Nayana, a South Korean web hosting firm, this month agreed to pay more than $1 million-worth of cryptocurrency to hackers who infected 153 Linux servers and over 3,400 business websites the company maintains with a strain of ransomware called Erebus.

The infection first hit company networks on 10 June and, two days later, customers were informed of the full scale of the attack. Initially, the hackers demanded a huge ransom of five billion won ($4.4m, £3.6m) to decrypt the files, which later changed to 550 bitcoin ($1.6m, £1.1m).

A note read: "If you cannot pay that, you should go bankrupt. You need to face your child, wife, customers and employees. Also, you will lose your reputation, business. You will get many more lawsuits."

In an update posted on 14 June, Nayana revealed it was able to negotiate with the hackers, eventually lowering the ransom to 1.2 billion won (roughly $1m, £831,000) to be paid in three instalments.

The hackers asked for the money in bitcoin, a popular form of digital currency. The amount of cryptocurrency agreed on was 397.6 bitcoin, the company revealed.

Experts believe it could be a record pay-out, although stress many firms simply don't speak about such attacks.

"This is a record ransom from what I know, although some will have paid and not gone public," Angela Sasse, director of the Institute in the Science of Cybersecurity, told the BBC.

In a statement posted on Nayana's website on 17 June, the firm said the two of three payments had already been finalised. Within 24 hours it had started the process of recovering the servers in batches – however a number in the second batch had reported database errors.

"I sincerely apologise to all those who have experienced the shock and damage caused by this incident," Nayana chief Hwang Chilghong wrote. "It is very frustrating and difficult, but I am really doing my best and I will do my best to make sure all servers are normalised," he added.

The firm said the third, and what it hopes will be the last, payment will be made after the other two batches of servers have been recovered. An exact timescale remains unknown. Ransomware culprits typically do cooperate with their victims as it's a key part of the criminal business model.

"Since it is the last negotiation with the hacker, we will be more careful in checking whether the decryption key is normal and testing whether it is possible to recover it," Chilghong noted on 18 June. "The time to complete the third round of negotiations is difficult to predict at this time."

According to Japanese cybersecurity firm Trend Micro, which analysed the incident, the hackers used Erebus ransomware, a strain first spotted in malicious online advertising in September 2016. It re-emerged, the firm said, in February this year in an attack targeting Windows.

bitcoin sign
The hackers demanded a bitcoin ransom Reuters

According to Trend, Erebus works by threatening to delete the victim's files within 96 hours unless the ransom is paid. This version (known as Ransom_Erebus.Tor) reportedly has capability of deleting "shadow copies" of computer data to prevent victims from recovering their files.

In its current format, the ransomware is most widespread in South Korea. "While Linux ransomware isn't as established or mature as its Windows counterparts, they can still present significant adverse impact to users and especially enterprises," Trend said in a blog post.

"As exemplified by Nayana, Linux is an increasingly popular operating system and a ubiquitous element in the business processes of organisations across various industries—from servers and databases to web development and mobile devices," it added.

Ransomware has become a major online threat. Earlier this year, a variant known as "WannaCry" infected computers in 150 countries. It now regularly impacts businesses, schools and medical facilities. Last year, one US hospital paid $17,000 after critical systems were infected.