CloudNordic reports ransomware attack, loses all customer data
Take action: This event is the stuff of every engineer nightmares. A ransomware that manages to infiltrate so deep that it wipes every server, backup and configuration. Although these days practically very difficult and expensive, this event is a good example for companies to consider some level of diversification between providers to be able to recover some data on another provider.
Learn More
The Danish cloud service provider CloudNordic has reported that they have fallen victim to a ransomware attack and advised its customers to assume that all of their data has been irretrievably lost. All CloudNordic's systems are rendered non-operational. This critical incident transpired during the early hours of August 18, during which the attackers systematically disabled all of the company's systems.
The servers hosting both CloudNordic's internal data and its customers' websites and email services were encrypted and rendered inaccessible.
Efforts to restore the compromised data have been underway since the incident occurred, involving both CloudNordic's IT team and external cybersecurity experts. Nevertheless, as of the most recent update on Tuesday, the prospects for data recovery appear bleak.
CloudNordic explicitly stated that they refuse to pay the ransom. The company expressed regret that they can't recover customer data. The majority of the company's clients had experienced a total loss of their stored data
A silver lining on this cloud may be that CloudNordic claims there is no evidence to suggest that the attackers managed to exfiltrate any sensitive information before encrypting the systems. Instead, the unauthorized access was limited to the administration systems, allowing the attackers to encrypt entire disks. The scope of the encrypted data was extensive, and there was no indication that any large-scale data copying had been attempted.
CloudNordic postulated that the attack likely took place during the transfer of servers from one data center to another. Certain machines were apparently compromised before the transfer, and the situation escalated during the migration process as servers from separate networks were interconnected within CloudNordic's internal network. This inadvertent access granted the attackers the ability to target key components of the infrastructure, including
- central administrative systems,
- storage,
- replication backup systems,
- secondary backups.
All of these critical systems were promptly encrypted by the attackers for ransom purposes.
CloudNordic announced its readiness to bring customers' web and email servers back online, albeit with no customer data. Customers that would accept this level of restoration were instructed to reach out via email, specifically to support@azero.dk, including "RESTORE" in the subject line. In the body of the email, customers were advised to provide their email addresses, phone numbers, and domains. In return, CloudNordic would furnish them with login credentials for new web and email services.
