View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 5, 2019updated 12 Jul 2022 10:33am

CyrusOne Confirms Ransomware Attack

"Our data center colocation services, including IX and IP Network Services, are not involved in this incident."

By CBR Staff Writer

UPDATED 17:56 BST with CyrusOne comment

Major data centre provider CyrusOne has confirmed a ransomware attack that it said today has impacted six of its managed service customers, located “primarily” in its New York data centre.

News of the ransomware attack was first reported late Wednesday by ZDNet’s Catalin Cimpanu. The NASDAQ-listed company’s shares fell approximately five percent on the news.

The company provides colocation facilities for approximately 1,000 customers in 48 data centers and two recovery centers in 13 markets (10 cities in the U.S., London, Singapore and Frankfurt).

Cimpanu reports that the incident took place Tuesday and was caused by a version of the REvil (Sodinokibi) ransomware.

CyrusOne told Computer Business Review: “Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.

“We have initiated our incident response and continuity protocols and we are working with the customers involved to restore their systems.  Law enforcement has been notified and we will support their investigative efforts. Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going and we are working closely with third-party experts to address this matter.”

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Sodinokibi first appeared in April 2019 and was initially observed in the wild propagating itself by exploiting a vulnerability in Oracle’s WebLogic server, but has been seen using a number of approaches.


Sodinokibi infections observed from May through August 23, 2019. Credit: McAfee

The attack is the latest in a string of ransomware incidents this year, many of them seeming to be highly targeted.

Read this: Everis Hacked: Ransomware Sample Emerges, Company Silent on Attack

The initial vector is not known, but Sodinokibi has been observed distributing the ransomware using spear-phishing and weaponised documents, as well as using bat-files to download payloads from Pastebin and inject them into a process on the operating system, or, as McAfee notes, compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network and compromise of Managed Service Providers and usage of their distribution software to spread the ransomware.

A series of McAfee honeypots designed specifically to harvest information about this ransomware family found a typical initial approach was brute-forcing tool NLBrute being used to target victims over RDP.

(The end-point detection firm has one of the most detailed analyses of Sodinkobi available here).

Compounding the difficulties for defenders, attackers often also minimise detection by digitally code-signing their ransomware with an Authenticode certificate.

As Sophos notes in an annual security report published this week: “When ransomware is properly code-signed, anti-malware or anti-ransomware defenses might not analyze its code as rigorously as they would other executables without signature verification. Endpoint protection software may even choose to trust the malicious code.”

The company adds: “To automatically distribute ransomware to peer endpoints and servers, adversaries leverage a trusted dual-use utility like PsExec from Microsoft Sysinternals. The attacker crafts a script that lists the collected targeted machines and incorporates them together with PsExec, a privileged domain account, and the ransomware. This script successively copies and executes the ransomware onto peer machines. This takes less than an hour to complete, depending on the number of machines targeted. By the time the victim spots what’s going, on it is too late, as these attacks typically happen in the middle of the night when IT staff is sleeping.”

See also: 5 Things to Do Before a Ransomware Attack

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.