Danish cloud hosting provider CloudNordic has fallen victim to a devastating ransomware attack that security experts have described as a ‘worst case scenario’ for the firm.
CloudNordic confirmed the ransomware incident occurred on Friday, revealing that customers have “lost all data” held by the firm.
The attack on the firm’s systems appears to have occurred during a data center migration and saw threat actors gain access to administrative systems, CloudNordic said in a statement.
Thereafter, the attackers were able to “shut down all systems” and take down its website and email services along with encrypted customer systems and websites.
Crucially, CloudNordic said attackers managed to “encrypt all servers’ disks, as well as on primary and secondary backup systems”.
The firm said there is no evidence to suggest that customer data has been exfiltrated by the attackers.
“CloudNordic was exposed to a ransomware attack, where criminal hackers shut down all systems,” the firm said. “Websites, e-mail systems, customer systems, our customers’ websites, etc. Everything.”
The company said the attack has “paralyzed” the company and has seriously affected customers.
Reports from Danish media suggest that hundreds of companies have been impacted by the attack, and CloudNordic confirmed that “the majority of customers have lost all data”.
CloudNordic isn’t isolated in this incident, either. Its sister company, AzeroCloud, has also been subjected to a ransomware attack which has crippled systems.
Both companies are owned by Certiqa Holding, a Danish-based company which owns telco security provider NetQuest.
‘Worst case scenario’
Javvad Malik, lead security awareness advocate at KnowBe4 told ITPro that the incident “appears to be the worst case scenario for customers” and that the attack will have long-lasting implications for those affected.
“Many customers rely on cloud services precisely because they want to avoid concerns about security and backups, expecting the provider to handle these aspects,” he said.
“The fact that not only the service has become unavailable, but also the data seems to be irretrievable, will have a significant impact on customers.”
Malik added that incidents such as these “intensify pressure” on cloud service providers. Similarly, the circumstances in which this attack appears to have taken place highlights the precarious nature of migrations.
“This is especially crucial during periods of change, such as data center migrations, where multiple components are in motion and a single vulnerability in software, mismanaged credentials, or even a phishing email could have enabled the attackers to gain unauthorized access.”
Sascha Giese, global tech evangelist at SolarWinds, echoed Malik’s comments, suggesting that the initial breach is likely to have happened “months ago”.
“An incident of this gravity doesn’t happen overnight,” she said. “It’s quite normal that virtual servers are moved around between different hosts and even different data centers.”
“That’s a standard practice for redundancy, scalability, and load distribution. The attackers might have been lucky, or they might have done a lot of reconnaissance ahead of the attack.”