Introduction

In a shocking turn of events, hosting providers CloudNordic and AzeroCloud, based in Denmark, recently suffered a devastating ransomware attack that resulted in the loss of the vast majority of client data and compelled the hosting providers to take down all of their systems, including websites, email, and customer websites.

The attack, the company explains in an incident notice on its website, started on Friday, August 18, and resulted in all its systems and servers being shut down.

Both businesses have confirmed that the attack took place on the previous Friday night and are part of the same parent company. In addition, the operating situation as of today is still very difficult, with the IT staff only able to restore certain servers but not any data.

Unfortunately, the process of restoring the system and the data is not proceeding as easily as CloudNordic had hoped, and the company reports that many of its clients have lost data that does not seem to be recoverable. According to comments made by the hosting provider, several of the company’s servers were infected with ransomware, despite the fact that these servers were secured by firewalls and antivirus software.

The Attack

According to CloudNordic, the attackers took advantage of an ongoing migration to a new data center and likely leveraged an existing, dormant infection to encrypt all systems.

During the migration, previously separated servers were connected to the company’s internal network, providing the attackers with access to the central administration systems and the backup systems, including secondary ones.

Attackers gained access to critical administrative systems, all data storage systems and all backup systems.

Further, the attackers encrypted all server disks, including primary and secondary backups, corrupting everything without leaving a recovery opportunity.

CloudNordic says that the attack was limited to encrypting data, and the collected evidence does not indicate that any data on the servers was accessed and/or exfiltrated. This means – there’s no evidence of a data breach.

Danish media reports that the attacks have impacted “several hundred Danish companies” who lost everything they stored in the cloud, including websites, email inboxes, documents, and other important data.

Impact on Customers

This devastating incident has severe consequences for CloudNordic’s customers, who entrusted the hosting provider with their data. Individuals and businesses now face substantial challenges in recovering their lost information, potentially leading to financial losses, reputational damage, and legal complications.

Moreover, the CloudNordic’s statement clarifies that it won’t be paying the threat actors a ransom and has already engaged with security experts and reported the incident to the police.

Lessons Learned

The CloudNordic ransomware attack serves as a wake-up call for companies and individuals to take proactive measures to strengthen their cybersecurity defenses. Below are some key lessons that can be drawn from this incident:

1. Regular Data Backups: It is crucial for any company to maintain up-to-date backups of all critical data. By doing so, companies can restore their information in the event of an attack. Old school offsite backups are particularly useful in mitigating the impact of ransomware attacks.
2. Multi-Layered Security: Employing a multi-layered security approach is vital to protect against cyber threats. Measures such as firewalls, antivirus software, intrusion detection systems, and employee training can greatly reduce the risk of successful attacks.
3. Incident Response Plan: Every organization should have a well-defined incident response plan in place. This plan outlines the actions to be taken in the event of a breach or attack, helping to minimize damage and ensure a swift recovery. Every company should rethink if it has a resiliency plan in case its cloud storage disappears. With no control over how the storage is managed, companies put a lot of trust into cloud storage providers to keep their data safe not just from ransomware, but also from other disasters like fires or weather events.
4. Third-Party Risk Assessment When selecting a hosting provider or any third-party service, it is essential to assess their security measures and track record in handling cyber threats. Thorough due diligence can help avoid potential data loss incidents.

In a particular incident, and as part of migration to a new data center, server and admin interfaces were connected to an internal network, providing access which was by default forbidden, allowing the attack. Companies should reconsider the scenario of what would happen if their providers were similarly compromised. In addition, companies should not rely only on Cloud provider’s backup procedures, but to have their own backup copy.

The Aftermath

Following the ransomware attack, CloudNordic has faced significant backlash from its customers and the cybersecurity community. The incident highlights the need for increased transparency and accountability in the aftermath of such events. Affected customers should be provided with clear guidance on the steps they can take to mitigate the impact of this breach.

“Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us.”.

This ransomware attack will have a dramatic effect on service provider’s future earnings. Firewalls and anti-virus systems of themselves, are not enough to protect an enterprise.

Companies must have an established cybersecurity program aligning to a cybersecurity framework, along with measuring against the chosen framework.

Conclusion

The loss of all customer data by the hosting provider underscores the critical importance of robust cybersecurity practices. In a world increasingly reliant on cloud infrastructure, organizations must remain proactive, vigilant, and well-prepared to defend against evolving cyber threats.

 By learning from incidents like this, businesses and individuals can take proactive steps to protect themselves and their data from future attacks.