Danish Hosting Firms Lose All Customer Data in Ransomware Attack
Two Danish enterprise cloud hosting companies lost all of their customers’ data and had to shut down their servers in the wake of devastating ransomware attacks earlier this month.
CloudNordic and Azero, both owned by Certiqa Holding, said in twin statements this week that they were attacked early in the morning of August 18 by hackers who shut down all of their systems.
“Website, e-mail systems, customer systems, our customers’ websites, etc.,” CloudNordic wrote. “Everything. A break-in that has paralyzed CloudNordic completely, and which also hits our customers hard. … Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.”
The companies also said they could not meet the unnamed attackers’ ransom demands and would not have paid the money if they could. Officials with both companies notified law enforcement of the attack.
According to CloudNordic and Azero, the attacks occurred after they had moved servers from one data center to another. The systems that were move were protected via firewalls and antivirus software, but the companies now believe some of the machines were infected before the move.
Lying in Wait
The infection “had not been actively used in the previous data center, and we had no knowledge that there was an infection,” they wrote. “During the work of moving servers from one data center to the other, servers that were previously on separate networks were unfortunately wired to access our internal network that is used to manage all of our servers.”
The threat actors gained access to the central administration systems and backup systems through the internal network, the companies wrote. Through the backup system, the attackers hit the motherlode, getting access to all the data that was stored as well as the replication backup and secondary backup systems.
From there they encrypted all the disks on the servers and both backup systems. At that point, all the machines crashed and CloudNordic and Azero administrators were unable to access any of the data. While the data has been encrypted, it’s unclear whether it has been exfiltrated as part of a double-extortion scheme that is becoming more common in ransomware attacks.
To put more pressure on victims to pay the ransom, threat groups often will take data as well as encrypt it and threaten to leak the data publicly.
“The attack occurred by encrypting all disks for all virtual machines, and we have seen no evidence of a data breach,” the companies wrote. “We have not seen the attackers have access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.”
Rebuilding from the Rubble
At this point, the companies seem to be trying to remake their operations to give customers some operational capabilities.
“We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data),” they wrote.
They also outlined steps for organizations to take if they want domains that quickly need to have DNS management and for those domains customers want moved and recommendations for recreating their websites and how to move forward with email.
The attacks generated some conversation on Reddit, with a debate about immutable vs. air-gapped backups. One person noted that “even if a system is airgapped, what happens if something gets in due to negligence or something like a tech plugging in with a compromised device?”
Another argued for using tape silos, with one set of backups staying on-site and another moving to an offsite provider, which they wrote has been done for decades.
“The lesson I get from this is that one should consider packing one’s own parachute and have offsite backups,” the person wrote. “Yes, egress fees from cloud to a backup area may be prohibitive, but cheaper than completely losing everything, should the cloud provider collapse like this.”
The Growing Ransomware Threat
The attacks on CloudNordic and Azero come as cybersecurity vendors report a continuing rise in the ransomware attacks around the world. Most recently, NCC Group said that the number of ransomware attacks last month jumped 153% year-over-year – to 502 – due in large part to the threat group Cl0p and its widespread attacks that exploited a zero-day flaw in the MOVEit managed file transfer software from Ipswitch.
Cl0p was responsible for 171 of the 502 ransomware attacks in July, NCC Group wrote. The number of organization so far that have been directly or indirectly affected by Cl0p’s MOVEit stands at about 545, according to cybersecurity services provider Compass IT Compliance.
