American data center provider, CyrusOne, has fallen prey to a ransomware attack. The firm CyrusOne faced the Sodinokibi ransomware attack that caused major disruption to their services.
CyrusOne Faced Ransomware Attack
The US data center provider service CyrusOne became a victim of a ransomware attack. While the firm has not revealed any details yet, FIA Tech, one of the clients of CyrusOne, has informed their customers of the incident.
As revealed in their notice, the attack also caused disruption in FIA Tech services leading to outages.
Based on our team’s analysis and that of our third party security experts, our outage was caused by a hacking incident which originated from inside our data center provider’s management network.
Explaining further about the incident, FIA Tech mentioned that the attack continued for 4 hours during where attackers had access to their production and disaster recovery environments.
For the kind of malware involved in this incident, FIA Tech confirmed it as a Sodinokibi variant. It is a relatively new variant presently undetected by numerous antivirus software.
Based on our initial research, the attack on our datacenter provider involved a combination of tools, and then finally the encryption of our machines was performed by a variant of Ransom.Win32.SODINOKIBI.AUWTF. The signature of this variant was not in the databases of many commercial antivirus providers
While they did not name the data center provider, ZDNet has confirmed it to be CyrusOne. They have also obtained a copy of the ransomware note.
No Data Exfiltration Noticed Yet
Though the attackers accessed the victim’s data with this attack, FIA Tech elaborated they could not find any traces of data exfiltration.
There is currently no evidence that any data was exfiltrated, instead the attack was focused on disrupting operations in an attempt to obtain a ransom from our data center provider. The service provider believes the objective of the hack was not to steal data.
According to ZDNet, the attack did not impact all data centers belonging to CyrusOne. Lets hope the affected ones were adequately backed up.
In September, Sodinokibi also infected a dental data backup firm. That time too, there seemed no data exfiltration, but a mere demand for ransom.
Let us know your thoughts in the comments.