UPDATED 17:56 BST with CyrusOne comment
Major data centre provider CyrusOne has confirmed a ransomware attack that it said today has impacted six of its managed service customers, located “primarily” in its New York data centre.
News of the ransomware attack was first reported late Wednesday by ZDNet’s Catalin Cimpanu. The NASDAQ-listed company’s shares fell approximately five percent on the news.
The company provides colocation facilities for approximately 1,000 customers in 48 data centers and two recovery centers in 13 markets (10 cities in the U.S., London, Singapore and Frankfurt).
Cimpanu reports that the incident took place Tuesday and was caused by a version of the REvil (Sodinokibi) ransomware.
CyrusOne told Computer Business Review: “Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.
“We have initiated our incident response and continuity protocols and we are working with the customers involved to restore their systems. Law enforcement has been notified and we will support their investigative efforts. Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going and we are working closely with third-party experts to address this matter.”
Sodinokibi first appeared in April 2019 and was initially observed in the wild propagating itself by exploiting a vulnerability in Oracle’s WebLogic server, but has been seen using a number of approaches.
The attack is the latest in a string of ransomware incidents this year, many of them seeming to be highly targeted.
The initial vector is not known, but Sodinokibi has been observed distributing the ransomware using spear-phishing and weaponised documents, as well as using bat-files to download payloads from Pastebin and inject them into a process on the operating system, or, as McAfee notes, compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network and compromise of Managed Service Providers and usage of their distribution software to spread the ransomware.
A series of McAfee honeypots designed specifically to harvest information about this ransomware family found a typical initial approach was brute-forcing tool NLBrute being used to target victims over RDP.
(The end-point detection firm has one of the most detailed analyses of Sodinkobi available here).
Compounding the difficulties for defenders, attackers often also minimise detection by digitally code-signing their ransomware with an Authenticode certificate.
As Sophos notes in an annual security report published this week: “When ransomware is properly code-signed, anti-malware or anti-ransomware defenses might not analyze its code as rigorously as they would other executables without signature verification. Endpoint protection software may even choose to trust the malicious code.”
The company adds: “To automatically distribute ransomware to peer endpoints and servers, adversaries leverage a trusted dual-use utility like PsExec from Microsoft Sysinternals. The attacker crafts a script that lists the collected targeted machines and incorporates them together with PsExec, a privileged domain account, and the ransomware. This script successively copies and executes the ransomware onto peer machines. This takes less than an hour to complete, depending on the number of machines targeted. By the time the victim spots what’s going, on it is too late, as these attacks typically happen in the middle of the night when IT staff is sleeping.”