Ransomware Attack Hits Data Center Provider CyrusOne: Report

cyrusone data center ransomware

Security experts say the incident shows that cybercriminals are using ransomware to hit companies where it hurts.

U.S. data center provider CyrusOne has been hit by a ransomware attack, which has impacted six of its managed services customers, a report has found.

CyrusOne, which is based in Texas and is one of the biggest data center providers in the U.S., serves more than 185 of Fortune 1000 customers worldwide. The ransomware attack, first reported Thursday by ZDNet, took place Wednesday and created availability issues for six of CyrusOne’s managed services customers that are located in its New York data center, including financial and brokerage company FIA Tech.

“Our data center colocation services, including IX and IP Network Services, are not involved in this incident,” CyrusOne told ZDNet. “Our investigation is ongoing and we are working closely with third-party experts to address this matter.”

According to the report, the attack infected the data-center provider with the REvil (Sodinokibi) ransomware, a popular malware that has been used in other high-profile ransomware attacks, including one in August that hit 22 Texas local governments in what Texas officials said was part of a targeted attack launched by a single threat actor.

A ransom note reportedly told the company that its files are encrypted and a ransom must be paid in order for them to be decrypted. ZDNet reported that CyrusOne does not intend on paying the ransom. CyrusOne did not respond to a request for comment from Threatpost.

Security experts for their part said that data centers are a lucrative target for cybercriminals looking to hit companies where it hurts – and consequently expect higher chances of ransom payouts.

“The response and remediation from CyrusOne have been excellent given its ability to restore data from backups and respond rapidly to the attack,” Thomas Hatch, CTO and Co-Founder at SaltStack, told Threatpost. “However, this situation highlights that data center and infrastructure-as-a-service (IaaS) providers are just as vulnerable to attacks as other companies. While IaaS providers generally create very secure infrastructures, there is still the liability that they can be attacked in this manner.”

Going into 2020, ransomware attacks will not only continue, but will look to attack larger targets focused on disrupting IT operations, Terence Jackson, CISO at Thycotic, told Threatpost.

“This attack is interesting as it targeted a data center which hosts IT infrastructure for multiple companies,” he said. “Cyrus owns 45 data centers across the U.S. and EMEA, and boasts more than 1,000 customers. This attack likely targeted the resiliency of their network, which would also trickle downstream to their customers business operations. I encourage companies to test their business continuity and disaster recovery plans, microsegment their networks, continue to educate their users  and enforce a least-privilege methodology.”

The news comes as, ransomware attacks specifically against data centers and hosting companies continue to make headlines.

In November, SmarterASP.NET, a popular web hosting provider with more than 440,480 customers, was hit with a ransomware attack that took down its customers’ websites that were hosted by the company. Other hosting services have also fallen victim to ransomware – in December 2018, Dataresolution.net was hit with a Christmas Eve attack. A2 Hosting in April 2019 reported a ransomware attack that had encrypted their Windows hosting servers.

“This news of yet another serious ransomware attack should come as no surprise to anyone,” Carl Wearn, head of e-crime at Mimecast said in an email. “Ransomware is increasingly being utilized in a highly targeted manner by criminals and threat actors in order to leverage as big a ‘ransom’ as possible. Recent attacks have targeted managed service providers (MSPs) across a range of sectors to impact a wider range of businesses and organizations and add to the pressure on those services to pay the ransom.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles

alien cerberus banking malware

Alien Android Banking Trojan Sidesteps 2FA

A new ‘fork’ of the Cerberus banking trojan, called Alien, targets victims’ credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.