CyrusOne on Thursday confirmed a ransomware attack earlier this week to its managed services division and said the attack affected six customers served primarily from its New York data center, located in Wappingers Falls, New York.
The company said it was "working to restore availability issues to six managed service customers due to a ransomware program encrypting certain devices."
"Upon discovery of the incident, CyrusOne initiated its response and continuity protocols to determine what occurred, restore systems, and notify the appropriate legal authorities," CyrusOne said in a statement. "The investigation is ongoing, and CyrusOne is working closely with third-party experts to address this matter."
The company did not respond to requests for comment.
The managed services business is just a small part of CyrusOne's offerings, which include colocation facilities for about 1,000 customers across 48 different data centers globally, with the bulk of the facilities located in the US. It counts more than 200 Fortune 1,000 companies among its clients, including hyperscale cloud platforms, which lease large-footprint facilities from the provider wholesale.
"CyrusOne’s data center colocation services, including IX and IP Network Services, are not involved in this incident," CyrusOne said in its statement.
According to a report by ZDNet, the ransomware attack occurred on Tuesday and was caused by a version of the REvil ransomware, also known as Sodinokibi.
This particular malware first appeared this April and was initially used to attack Oracle's WebLogic server but has since evolved to include more attack vectors. It has been involved in attacks on more than 23 Texas municipalities and 400 US dentist offices this year. Cybersecurity research firm Cybereason dubbed it "the crown prince of ransomware."
REvil has also been used to hijack remote-management tools of at least three other managed-service providers this summer.
In mid-October, the security firm McAfee tracked REvil bitcoin payments to an account containing 443 bitcoin, which was then equivalent to about $4.5 million.
How Could the Malware Get In?
No details were available Thursday afternoon about how the REvil ransomware was able to penetrate CyrusOne's systems.
Colin Bastable, CEO at Lucy Security, a Texas-based cybersecurity firm, who did not have direct knowledge about the incident, said a likely way in could be via social engineering.
"Only 3 percent of successful attacks exploit technical flaws," he said. The other 97 percent start with softer attacks, such as spear phishing.
"In such a high-profile company, it's easy to identify people to spearphish," Bastable said. "A quick look on the dark web shows that some 133 CyrusOne email addresses are associated with potentially compromised credentials – perhaps due to when someone used their company email address to register for a service, and the service has been compromised."
In addition, there are 3,414 contacts on LinkedIn with a connection to CyrusOne.
"So an attacker knows who to emulate, who to target, and just needs to deliver an attack," he said. "Perhaps a fake LinkedIn invite, dropping malware. There are many ways to deliver the payload."
Even presumably more security conscious tech-firm employees may fall victim – sometimes because their technical skills make them complacent, Bastable said.
An Ounce of Prevention
To guard against ransomware, experts recommend that data center security managers have the fundamentals in place: access controls, endpoint protection, automated patching, and other elements of basic security hygiene.
In addition, data centers should double-check that they're properly insured, said Todd Weller, chief strategy officer at Bandura Cyber, a cybersecurity company.
Attacks will happen, he said. "There's no excuse not to have cyber insurance as a way to mitigate the financial costs of recovering from a cyberattack."
Learn in depth about what data center operators can do about ransomware in the DCK Guide to ransomware
Finally, the only sure defense against ransomware is data backup – good backups, comprehensive, easy to access in case of an attack but isolated enough that ransomware can't get to them.
"Please, please, please back up your data," said Weller. "There is no excuse for not backing up your data, and it's the only 100 percent effective mitigator against ransomware risk."
There are also steps that data centers can take to minimize the spread of a ransomware attack, especially to a company's crown jewels.
"There are servers that keep important data that [does not need] to be accessed all the time during operations," said Christopher Elisan, director of intelligence at Flashpoint, a cybersecurity company. "If this is the case, it is important to limit any access to servers hosting important data."
He also recommended that data centers have network segmentation in place. "This will limit lateral movement by ransomware or any malware that is already in the network," he said.
Finally, since ransomware tries to spread as quickly as possible in order to do the maximum amount of damage, speed of responses is key. But it can be hard for data center managers to spot ransomware and respond in real-time, said Chris DeRamus, co-founder and CTO at DivvyCloud, a cloud security vendor.
"It’s possible that this attack, and future attacks, could be prevented through the implementation of automated solutions," he said. These solutions could either alert security teams about an ongoing attack or take immediate steps to stop the spread of the attack.
In some cases, data centers may even be able to automatically remediate by cutting infected machines off from networks and either restoring systems from golden images or from the most recent uninfected backup.