Dive Brief:
- Six of CyrusOne's managed service customers, primarily in its New York data center, experienced availability issues following a ransomware attack, a CyrusOne spokesperson told CIO Dive in an email. Some of the devices in the customers' network were encrypted by the attack.
- An investigation is underway with law enforcement support. "Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going and we are working closely with third-party experts to address this matter," according to the company.
- First reported by ZDNet, the strain was a version of REvil (Sodinokibi), which has connections to the ransomware attacks on more than 23 Texas municipalities and 400 U.S. dentist offices.
Dive Insight:
The REvil ransomware family is having a busy year. It was detected at the end of April, according to McAfee.
"Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware," according to McAfee research. The malware attempts to "get all functions needed in runtime and make a dynamic IAT to try obfuscating the Windows call in a static analysis."
In August, local Texas governments were hit by "coordinated ransomware" attack causing the state to declare a state of emergency. By September, Texas had restored business-critical services after the REvil attack.
The ransomware hitting dentist offices was part of a larger trend for the year. Since Oct. 1, there were at least 15 recorded ransomware attacks on U.S. healthcare networks, municipalities, school districts, police departments and employment agency offices, according to research from Armor.
In November, Louisiana Governor John Bel Edwards disclosed a ransomware attack "similar to the ransomware targeted at local school districts and government entities" over the summer, he said in a tweet.
In an "abundance of caution," Louisana's Office of Technology Services disabled state servers, which temporarily disrupted state agencies' email, websites and online applications, said Bel Edwards. The service interruption was due to the state's proactive safety precautions to prevent the ransomware from spreading.
A total of 13 managed service providers or cloud-based service providers were hit by ransomware so far this year, according to Amor. In its note, CyrusOne's hackers said "it's in your interests to get your files back. From our side, we (the best specialists) make everything for restoring." In some cases, when attacks are on smaller entities, paying the ransom is worth it.