Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.
The two brands belong to the same company and stated that the attack unfolded last Friday night. However, today's operational status remains highly problematic, with the firm's IT teams only managing to restore some servers without any data.
Moreover, the firm's statement clarifies that it won't be paying the threat actors a ransom and has already engaged with security experts and reported the incident to the police.
Unfortunately, the system and data restoration process isn't going smoothly, and CloudNordic says many of its customers have lost data that appears to be irrecoverable.
"Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic's IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic's statement (machine translated)
"Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us."
Both public notices include instructions on recovering websites and services from local backups or Wayback Machine archives.
Given the situation, the two hosting service providers previously recommended that heavily impacted customers move to other providers, such as Powernet and Nordicway.
Hitting at the right moment
The hosting company's statements revealed that some of the firm's servers had been infected by ransomware despite being protected by firewalls and antivirus.
During a data center migration, those servers were connected to the broader network, allowing the attackers to access critical administrative systems, all data storage silos, and all backup systems.
Next, the attackers encrypted all server disks, including primary and secondary backups, corrupting everything without leaving a recovery opportunity.
CloudNordic says that the attack was limited to encrypting data, and the collected evidence does not indicate that any data on the machines was accessed or exfiltrated. That said, there's no evidence of a data breach.
Danish media reports that the attacks have impacted "several hundred Danish companies" who lost everything they stored in the cloud, including websites, email inboxes, documents, etc.
Martin Haslund Johansson, the director of Azerocloud and CloudNordic, stated that he does not expect customers to be left with them when the recovery is finally completed.
Targeting hosting providers is a tactic used by ransomware gangs in the past as it causes large-scale damage and creates many victims in a single attack.
Due to the number of victims, providers will be under a lot of pressure to pay a ransom to restore their operations and potentially avoid lawsuits from customers who lost their data.
In 2017, a similar attack led a South Korean hosting provider to pay a $1 million ransomware demand to recover its customers' data.
More recently, Rackspace suffered a Play ransomware attack on its hosted Microsoft Exchange services that led to email outages for many of its customers.
Comments
vladix - 8 months ago
Painful to read, pff..
Discontinuation - 8 months ago
How could you lose all the tapes? Hourly, Daily, Weekly, Monthly, Yearly. There should be Thousands of these backup off line tapes.
leexgx - 8 months ago
Everything was likely in esxi vms on the same Network no isolation or different backups software (if they where they probably tuning on another esxi vm that got encrypted as well)
Discontinuation - 8 months ago
I don't get it. Don't they copy vm to tapes or other clouds with generational backups? Does Admin school say "your backup is a mirror?" - I'm thinking they don't have the insurance to pay for the restore, so bankrupt co and solicit current clients under your new name.
username2 - 8 months ago
Seems options were weighed that tilted to restoring and not paying the ransom. Rather unfortunate. I wonder if there is still a window of time to still pay the ransom knowing that there are no guarantees rather than going bankrupt and facing litigation.
Discontinuation - 8 months ago
I didn't mean bankrupt to pay the ransom. Never pay the ransom! I'm saying it would cost them too much to do the restore from their backups. Time involved to pay someone with some brains to do it. I don't buy that they don't have backup. My bet is they are too cheap to pay someone to do it. 3rd world countries can land on the Moon, but we can't stop ransom ware! Offer clients copies of the vm prior to the attach so they can setup on another cloud system.
GoboFraggel - 8 months ago
Immutable flash array with snapshots every 5 minutes going back 10 days. In order to delete snapshots or data two people with a secret pin need to get on a zoom session with tech support and provide the pins. Even myself as the admin cannot delete anything. Pins are written on paper and stored in a safe.
Mobz - 8 months ago
According to local news, the hackers wanted 6 bitcoin, about 1 million danish kroner. But they have choosed not to pay the ransom. And a very emotional ceo of the Company says they will help their customer get back up, but without any data and he does not think that any Company will stay with them after this (so basically bankrupt). Sometimes you might have to ask if it could be worth the too pay the money, even though your Company will probably will not exist anymore after something like this. But then you have tried everything you can, to get something back for your customers.