Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.
The two brands belong to the same company and stated that the attack unfolded last Friday night. However, today's operational status remains highly problematic, with the firm's IT teams only managing to restore some servers without any data.
Moreover, the firm's statement clarifies that it won't be paying the threat actors a ransom and has already engaged with security experts and reported the incident to the police.
Unfortunately, the system and data restoration process isn't going smoothly, and CloudNordic says many of its customers have lost data that appears to be irrecoverable.
"Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic's IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic's statement (machine translated)
"Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us."
Both public notices include instructions on recovering websites and services from local backups or Wayback Machine archives.
Given the situation, the two hosting service providers previously recommended that heavily impacted customers move to other providers, such as Powernet and Nordicway.
Hitting at the right moment
The hosting company's statements revealed that some of the firm's servers had been infected by ransomware despite being protected by firewalls and antivirus.
During a data center migration, those servers were connected to the broader network, allowing the attackers to access critical administrative systems, all data storage silos, and all backup systems.
Next, the attackers encrypted all server disks, including primary and secondary backups, corrupting everything without leaving a recovery opportunity.
CloudNordic says that the attack was limited to encrypting data, and the collected evidence does not indicate that any data on the machines was accessed or exfiltrated. That said, there's no evidence of a data breach.
Danish media reports that the attacks have impacted "several hundred Danish companies" who lost everything they stored in the cloud, including websites, email inboxes, documents, etc.
Martin Haslund Johansson, the director of Azerocloud and CloudNordic, stated that he does not expect customers to be left with them when the recovery is finally completed.
Targeting hosting providers is a tactic used by ransomware gangs in the past as it causes large-scale damage and creates many victims in a single attack.
Due to the number of victims, providers will be under a lot of pressure to pay a ransom to restore their operations and potentially avoid lawsuits from customers who lost their data.
In 2017, a similar attack led a South Korean hosting provider to pay a $1 million ransomware demand to recover its customers' data.
More recently, Rackspace suffered a Play ransomware attack on its hosted Microsoft Exchange services that led to email outages for many of its customers.