This article is more than 1 year old
Criminals go full Viking on CloudNordic, wipe all servers and customer data
IT outfit says it can't — and won't — pay the ransom demand
CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider's servers and "paralyzed CloudNordic completely," according to the IT outfit's online confession.
The intrusion happened in the early-morning hours of August 18 during which miscreants shut down all of CloudNordic's systems, wiping both company and customers' websites and email systems. Since then, the IT team and third-party responders have been working to restore punters' data — but as of Tuesday, it's not looking great.
We're told that even the backups were trashed as well as production data. And CloudNordic isn't prepared to pay a ransom, presumably to restore the information and systems, to the extortionists responsible for the intrusion.
"We cannot and do not want to meet the financial demands of the criminal hackers for ransom," CloudNordic said in an online notice, translated from Danish.
"Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us," the alert continued. "This applies to everyone we have not contacted at this time."
The self-proclaimed "Nordic cloud experts" said they reported the attack to the police.
And while none of this is good news to organizations that have now lost all of their website and email data, CloudNordic does offer a slight silver lining: the biz doesn't believe that the criminals exfiltrated any information before encrypting the systems.
"We have seen no evidence of a data breach," the cloud provider claimed, adding:
We have not seen the attackers have had access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.
CloudNordic says its "best estimate" is that the infection happened as servers were being moved from one datacenter to another.
Some of the machines were apparently infected before the move, and during the transfer servers that had been on separate networks were all connected to CloudNordic's internal network. This gave the intruders access to both the central administrative systems, storage, replication backup system and secondary backups, all of which they promptly encrypted for extortion.
- Ivanti Sentry exploited in the wild, patches emitted
- Leak of 75k employee records was insiders' fault, claims Tesla
- FYI: There's another BlackCat ransomware variant on the prowl
- Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild
As of today, the CloudNordic said it's ready to get customers' web and email servers — without data — back online, albeit without DNS at present. To restore these services, the firm says to email: support@azero.dk with the word RESTORE in the subject line.
In the body of the email, include your email address, phone number, and domain, and CloudNordic will send you login details for a new website and email service.
However, the provider notes that it will take a "massive amount of time" to restore all of these services, even without data, and as such it encourages "critically affected" customers to find new providers "to minimize your downtime."
Or, there's the DIY option, which is the "fastest method to get DNS working again for your domain," CloudNordic said. Customers can find detailed instructions for both options in the ransomware notification. ®