CyrusOne, a major provider of enterprise data center services, is reported to have suffered a ransomware attack. The Dallas-headquartered company, which operates more than 30 data centers across the United States, China, London, and Singapore, is reported by ZDnet to have had some of its systems infected by the REvil (Sodinokibi) ransomware. According to security journalist Catalin Cimpanu, who broke the story, the firm was hit by a targeted attack against its network yesterday, and received a ransom message demanding payment for the recovery of encrypted files.
Part of the extortion email obtained by ZDNet reads as follows, seemingly in an attempt to reassure CyrusOne that payment of the ransom will result in the data being recovered:
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
What isn't known at present is how the ransomware managed to breach CyrusOne's systems. However, in the past the REvil ransomware has been distributed through malicious email campaigns using spearphishing and boobytrapped documents, compromising RDP, exploit kits, and other techniques. ZDNet reports that although CyrusOne has made no public statement about the security incident, at least one of its corporate clients has warned its own customers about the problem. Financial and brokerage business FIA Tech informed its customers of an outage of their cloud services caused by problems at its data center provider, which ZDnet's Cimpanu identified as CyrusOne. It's worth remembering that a recovery from a ransomware attack (either by giving in to the extortionists and paying their ransom demand or by restoring from a clean backup) is not complete until the method through which the security breach occurred has been identified and fixed. After all, the worst thing in the world would be to recover after a ransomware attack only to find yourself hit again by another attack the following week. As ever, it's best if you can prevent a ransomware infection in the first place - rather than put your company through the experience of trying to mop up afterwards. Note: CyrusOne have confirmed a ransomware incident at their New York Data Centre. You can read the press release here: http://investor.cyrusone.com/news-releases/news-release-details/managed-service-division-cyrusone-addresses-ransomware-incident
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
