Data center provider CyrusOne hit by REvil ransomware

The ransomware attack resulted in disruptions for six of its customers, although only managed services affected

One of the main data center providers CyrusOne suffered a cyberattack: six customers' data encrypted by REvil/Sodinokibi ransomware

On Thursday, one of the largest data centers, CyrusOne, announced^[1] that it suffered a ransomware attack, and some of its systems were affected, consequently disrupting the operation of six customers. The company contacted the forensic investigators as well as law enforcement to assist with the incident, which occurred on Wednesday.

While there it is yet unknown what the point of entry was, it is now known that it was REvil (Sodinokibi) ransomware^[2] that encrypted several devices, primarily located in the New York-based data center. Due to the attack, the customers experienced disruptions and availability issues.

According to an advisory published on Thursday, only some of the provided services were affected:

CyrusOne’s data center colocation services, including IX and IP Network Services, are not involved in this incident.

Upon discovery of the incident, CyrusOne initiated its response and continuity protocols to determine what occurred, restore systems and notify the appropriate legal authorities. The investigation is ongoing and CyrusOne is working closely with third-party experts to address this matter.

CyrusOne is a Dallas-based data center provider that operates 45 facilities and serves around 1,000 customers in the US, London, Singapore, and other countries. Its clientele includes network operators, cloud services, enterprises, network operators, and support services.

REvil/Sodinokibi developers' demands not met: CyrusOne is not paying ransom

CyrusOne is yet another victim of an already known ransomware strain REvil (also known as Sodinokibi), which mainly targets businesses and organizations worldwide, asking for large sums of ransom for locked data on the affected networks. The malware is believed to be a successor of now obsolete GandCrab ransomware and is operated by a regrouped cybercriminal gang. Most recently, REvil struck Texas governments,^[3] as well more than 400 US dentist offices^[4] in August this year.

Initially, it was unknown which ransomware struck CyrusOne. However, news network ZDNet managed to obtain a ransom note from the company,^[5] which proved that the attack was targeted, and started as follows:

Welcome CyrusOne and Dear Customers

It is yet unknown what the size of the ransom is, but CyrusOne is known to decline to fulfill the attackers' demands, in fear of repeated attacks. It is highly likely that the data center provider will restore files via backups instead.

Phishing attack suspected as an attack vector

While it is yet unclear how REvil ransomware managed to breach CyrusOne, there are plenty of speculations that suggest that it was a social engineering attack. According to security experts, approximately 97% of corporate malware infections are a result of targeted phishing attacks (mainly spear phishing).^[6]

Spear phishing is one of the most common techniques used among cybercriminals when it comes to high profile organizations, as digging up emails of associated individuals is relatively easy on the dark web. Additionally, CyrusOne has a few thousand connected contacts on Linkedin, which could be abused in a targeted malicious email. The tactic is well-known and often used by such criminal gangs like Cobalt Group.

Despite the disruptions caused by malware infections, there are always ways to contain and successfully mitigate ransomware attacks. Each reputable company should practice basic security policies, including endpoint protection, limitations to control access, security training, software patching, etc.

However, the most secure way to limit the impact of a ransomware attack is to keep backups of all the necessary files. The backups need to be also adequately isolated from the main servers to prevent the infection from encrypting those as well.