Two individuals accessing and utilising data and services hosted in the cloud.

CloudNordic – A Danish Hosting Provider Hit By Ransomware Attack

CloudNordic and AzeroCloud, the hosting companies from Denmark, have fallen victim to ransomware attacks. These incidents have resulted in significant data loss for customers and have forced the hosting providers to take down all their systems, including websites, emails, and customer sites.

CloudNordic and Azero, both owned by Certiqa Holding, announced this week that they were the victims of a cyberattack in the early hours of August 18th. The operating situation is extremely difficult. The firm’s IT teams were only able to restore a few servers, unfortunately without any data.

According to the CloudNordic website:

Websites, e-mail systems, customer systems, our customers’ websites, etc. Everything. A break-in that has paralyzed CloudNordic completely, and which also hits our customers hard.

The two hosting companies, both of which are under Certiqa Holding’s control, have categorically said that they will not even consider paying a ransom. They have also taken the effort to contact security experts and have informed the police of the entire affair without delay.

In-depth instructions are provided in both public notifications for restoring websites and services by utilising either local backups or the Wayback Machine’s archives. The hosting service providers have already provided advice for seriously impacted clients given the present circumstances. They explicitly mentioned alternatives like Powernet and Nordicway when they discussed the potential for switching to different service providers.

Precise Strike Ransomware Hits Denmark’s Hosting Companies

Additionally, NetQuest, a security company, is owned by Certiqa Holding. The firm claimed that they had put in place sufficient firewalls and antivirus programmes. While a data centre move was taking place, the ransomware attack was able to bypass the firewalls.

The attackers got access to all backups and administration systems thanks to this connection between them, which made the hacked servers visible to the whole network.

The situation shows that one server may have already been compromised, and that the start of the data movement may have unintentionally allowed the malware to spread throughout the whole network.

The attackers then encrypted every server disc, including primary and secondary backups. There was no chance for recovery because of the widespread malware that resulted.

According to Steve Hahn, BullWall’s executive vice president:

Migrations are when companies are at their most vulnerable. During one of these large scale migrations we often see ports opened, applications whitelisted, security services may be suspended, and people are generally more at risk to social engineering strategies.

The company’s statement claims that the administrative systems were used for the encryption. There is no proof that the attackers gained access to or downloaded any data from the compromised systems.

Ransomware groups have previously used a tactic of focusing on hosting companies. This method was chosen because of its ability to do severe damage and attack a large number of people in one hit. As a result of the widespread damage, these providers are under pressure to consider a ransom payment to quickly restore their service operations. Furthermore, this approach might help to reduce potential legal action from users who have lost data because of an attack.

CloudNordic has begun the process of re-establishing new infrastructure, which includes name servers, web servers, and mail servers. The effort aims to help clients in restoring their services while keeping their existing domains.

The company recommends that users contact them through email for domain restoration and to try to retrieve email messages from their computer’s mail clients. It is significant to remember that CloudNordic warns that the recovery process might take a considerable amount of time.

The recent attacks on CloudNordic and Azero are showing of a worldwide increase in ransomware outbreaks. In the first quarter of 2023, NCC Group recorded a spectacular 153% rise. This rise is mostly due to the Cl0p ransomware group, who used a zero-day bug in Ipswitch’s MOVEit software to launch massive attacks. According to NCC Group, Cl0p was responsible for 171 of the 502 assaults in July.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts