Monday, February 26, 2024

The Data Center Ransomware Attack That Costs You Everything

Must read

I work closely with our editorial team here at DCK, and we often throw ideas around as to what to cover. It’s not often that a topic of conversation breaks my heart.

When discussing security in the data center, we often discuss physical security, gates, fences, and biometrics. We also discuss cybersecurity, infrastructure segmentation, proper network security, and isolation. But I always wonder how many folks here take these little golden nuggets of wisdom and apply them.

In a recent post on DCK, I dove into physical security because, for the very first time, our AFCOM State of the Data Center 2023 report saw multiple types of physical human threats emerge into the top five of the biggest threats against critical infrastructure. Today, we focus on what topped that list — ransomware.

And I’ll fill you in on a little secret. It’s not the first year that ransomware was at the top of the charts. For the seventh year in a row, and surprising no one reading this, ransomware hit the top of the list. Remember, every connected device is a target as it relates to data. When asked to indicate the top five security and infrastructure threats to their companies, respondents were by far more likely to mention ransomware (52%), followed by loss of PII (39%) and outside human threats (39%).

All of these security threats can create downtime. And that quickly becomes costly. According to the Uptime Institute’s 2022 Outage Analysis, the consequences and cost of downtime are worsening, with 60% of failures now resulting in at least $100,000 in total losses. They also found that when significant outages happen, over 85% of the incidents stem from staff failing to follow procedures or flaws in the processes themselves.

But what happens when it’s not just downtime? What happens if a ransomware attack costs you everything?

After a devastating ransomware attack, that’s precisely what happened to a Danish cloud provider.

The ransomware encryption attack that cost CloudNordic everything

On the night of Friday, August 18th, CloudNordic was forced to send a heartbreaking letter to all of its clients. What did these customers lose?

“Everything,” CloudNordic wrote on their website. “A break-in has paralyzed CloudNordic completely and also hit our customers hard.” The company took a hardline stance and refused to meet criminal demands for ransom. However, there were consequences. “Unfortunately, it has proven impossible to recover more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.”

How did this happen?

In the post on CloudNordic’s website, translated from Danish, the organization stated, “The attackers succeeded in encrypting all servers’ disks, as well as on the primary and secondary backup system, whereby all machines crashed, and we lost access to all data.”

While it’s unclear exactly how the ransomware attack happened, the company stated that it was amplified by moving infected systems from one data center to another that was “unfortunately wired to access our internal network that is used to manage all of our servers.” Sadly, CloudNordic did not know there was an infected system.

“Despite the fact that the machines that were moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection,” the company wrote.

From there, via CloudNordic’s internal network, “attackers gained access to central administration systems and the backup systems.”

Customers within Azero were also impacted after an identical notice popped up on their website. CloudNordic and Azero are owned by the same Danish organization, Certiqa Holdings. Interestingly, they also own Netquest, a threat intelligence provider for telcos and governments.

As of this post, CloudNordic and Azero are doing their best to rebuild, from scratch, customers’ websites, email systems, and other critical systems, all without customer data.

“This is another example of cyber gangs strategically focusing on high-value targets like MSPs where they can use data exfiltration to extort multiple organizations at once and increase the odds of ransom payment,” said Darren Wiliams, CEO and Founder of BlackFog. “This means the aftermath of the attack will likely unfold over a prolonged period, similar to the MOVEit attacks. Data exfiltration is a prevalent tactic, with more than 89% of all attacks now involving some form of data exfiltration. Existing defense-based strategies are no longer enough to cope with these modern, sophisticated attacks. Unfortunately, it is going to take a disaster such as this to force companies to recognize the need for preventative approaches and anti-data exfiltration-based approaches.”

We’ll talk about what that prevention looks like in a minute. The only silver lining here is that while very large amounts of data were encrypted and effectively rendered useless, there were no signs that this data was copied or moved out of the ecosystem.

Coming to a data center near you … ransomware

The idea here isn’t to scare you out of your cloud or data center provider. However, data centers and colocation providers do need to examine their systems to ensure that something like this can never happen.

The challenge is that data centers are very much targets. In 2019, CyrusOne confirmed that it had experienced a ransomware attack. While the attack was limited to managed services businesses in a single New York data center, six customers were nevertheless impacted.

“Upon discovery of the incident, CyrusOne initiated its response and continuity protocols to determine what occurred, restore systems, and notify the appropriate legal authorities,” CyrusOne said in a statement.

According to a report by ZDNet, the ransomware attack was caused by a version of the REvil ransomware, also known as Sodinokibi.

About a year after CyrusOne, Equinix disclosed a ransomware attack against their systems. The company didn’t offer any details about the ransomware incident. Bleeping Computer claims to have received a copy of Equinix’s ransom note. According to the news site, the note included a screenshot of folders with the encrypted files. Folder names indicate that they contain a lot of sensitive data, such as financial, legal, and payroll information.

The good news here is that customer systems weren’t impacted, as stated in an Equinix blog post:

“Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal systems. Our teams took immediate and decisive action to address the incident, notified law enforcement, and are continuing to investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers.”

A sprinkle of ransomware prevention can go a long way

As attackers become bolder, they will go after more targets. Data centers pose as great attack points because there are so many clients that an attacker could go after.

Many security trends point to an attack vector that’s simple yet effective. Less than 10% of successful attacks in our industry exploit technical flaws. Those types of attacks are very targeted against flawed systems. The other 90% or so start with softer attacks, such as spear-phishing, in which emails appear from a trusted sender convincing the recipient to reveal confidential information. And with AI, these attacks are much more contextual and difficult to spot.

To guard against ransomware, experts recommend that data center security managers have the fundamentals in place: access controls, endpoint protection, automated patching, and other elements of basic security hygiene. In my experience, ensuring proper network rules and segmentation can go a long way with risk mitigation. The additional fundamental safeguard? Awareness training. With over 90% of threats coming in through inboxes, users must be far more cautious about what they click. Leading organizations really test their users by leveraging spear-phishing dummies to ensure their workforce knows the difference between malicious attacks and trusted sources.

In addition, data centers should double-check that they’re adequately insured. The good news is that it’s becoming easier to be insured. From a recent post here on DCK, we learned that the cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage.

Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh’s cyber practice leader.

Ransomware protection will continue to top the list

The risks posed by cybercriminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers.

“Of all the risks that data center and IT infrastructure operators face, few come close to the debilitating consequences of an effective ransomware attack,” said Alan Howard, Principal Analyst at Omdia. “It’s striking that so many companies are poised to learn the hard way about mitigating the major risk factors they face, despite well-known horror stories. I expect the jury will be out for some time on the future of CloudNordic,” Howard said.

The point of this post isn’t to scare you. However, if you’re an infrastructure leader, use this moment to reflect on your security systems and best practices. If a system or workload is moved from one data center to another, are you sure about that system’s integrity? Who had access to it? How was it transferred in?

The idea of zero trust, where you trust nothing and validate everything, helps remove threats from often mundane operations. Finally, and very importantly, your users must have a shared responsibility regarding security. Trust takes so long to gain but can be lost in seconds in one of these attacks. Security basics can go a long way. Never be complacent with security audits and best practices as your data footprint grows. Otherwise, a single ransomware attack could cost you everything.

Latest article