WannaCry only demanded Attack.Ransom $ 300 from each victim . These hackers extorted Attack.Ransom $ 1 million from one South Korean company . Hackers appear to have pulled off Attack.Ransom a $ 1 million heist with ransomware in South Korea . The ransomware attacked Attack.Ransom more than 153 Linux servers that South Korean web provider Nayana hosted , locking up more than 3,400 websites on June 10 . In Nayana 's first announcement a few days later , it said the hackers demanded Attack.Ransom 550 bitcoins to free up all the servers -- about $ 1.62 million . Four days later , Nayana said it 'd negotiated with the attackers and got the payment reduced Attack.Ransom to 397 bitcoins , or about $ 1 million . This is the single largest-known payout for a ransomware attack Attack.Ransom , and it was an attack Attack.Ransom on one company . For comparison , the WannaCry ransomware attacked Attack.Ransom 200,000 computers across 150 countries , and has only pooled $ 127,142 in bitcoins since it surfaced . Ransomware demands Attack.Ransom have risen rapidly over the past year , tripling in price from 2015 to 2016 . But even then , the highest cost of a single ransomware attack Attack.Ransom was $ 28,730 . Nayana agreed to pay Attack.Ransom the ransomware in three installments , and said Saturday it 's already paid Attack.Ransom two-thirds of the $ 1 million demand Attack.Ransom . `` It is very frustrating and difficult , but I am really doing my best and I will do my best to make sure all servers are normalized , '' a Nayana administrator said , according to a Google translation of the blog post . The company is expected to make the final payment Attack.Ransom once all the servers from the first and second payouts Attack.Ransom have been restored . Trend Micro , a cybersecurity research firm , identified the ransomware as Erebus , which targets Linux servers for attacks . It first surfaced in September through web ads , and popped up again in February . `` It 's worth noting that this ransomware is limited in terms of coverage , and is , in fact , heavily concentrated in South Korea , '' Trend Micro researchers said Monday in a blog post . Paying ransomware Attack.Ransom is at the victim 's discretion , but nearly all organizations , including government agencies and security researchers , advise against it .

The Colorado Department of Transportation ( DOT ) has shut down over 2,000 computers after some systems got infected with the SamSam ransomware on Wednesday , February 21 . The agency 's IT staff is working with its antivirus provider McAfee to remediate affected workstations and safeguard other endpoints before before reintroducing PCs into its network . DOT officials told local press [ 1 , 2 ] that crucial systems were not affected , such as those managing road surveillance cameras , traffic alerts , message boards , and others . The agency 's Twitter feed continued to show traffic alerts after the agency shut down much of its employees ' IT network . Colorado DOT will not pay the ransom Attack.Ransom In a rare sign of transparency , officials revealed the name of the ransomware —SamSam . This is the same ransomware strain that infected hospitals , city councils , and ICS firms in January . The hackers made over $ 300,000 from those attacks . One of the victims , an Indiana hospital agreed to pay Attack.Ransom a $ 55,000 ransom demand Attack.Ransom despite having backups . Hospital officials said it was easier and faster to pay the ransom Attack.Ransom than restore all its computers ' data from backups . DOT officials said they do n't intend to follow suit by paying the ransom demand Attack.Ransom and they will restore from backups . SamSam ransomware making a comeback The SamSam ransomware is a ransomware strain that 's been deployed by a single group . Infection occurs after attackers gain access to a company 's internal networks by brute-forcing RDP connections . Attackers then try to gain access to as many computers on the same network as possible , on which they manually run the SamSam ransomware to encrypt files . In the recent campaigns , SamSam operators usually asked for Attack.Ransom a 1 Bitcoin ransom Attack.Ransom and left a message of `` I 'm sorry '' on victims ' computers . The SamSam group had been previously active in the winter of 2016 but have come back with new attacks . These new attacks have been detailed in reports published by Bleeping Computer , Secureworks , and Cisco Talos .