Ransomware attacks continue to plague companies of all stripes. Organizations of any size and sector can be vulnerable to attacks that encrypt files and render entire IT estates inoperable. Threat actors then demand ransom payments in return for decrypting the files and making the resources available again.
Rather than go through a long recovery process or attempt to use decryption tools, many organizations will simply pay the fee, despite official advice from the FBI and many cybersecurity companies warning that this only encourages attackers and propagates the problem.
In early December 2019, the managed service division of Dallas-based data center REIT CyrusOne announced that it had suffered a ransomware attack that had encrypted some customers’ devices. It is rare for cybercriminals to go after a data center, but the attack hit six managed service customers at once, mostly customers at CyrusOne’s New York data center. The company's colocation services, including IX and IP Network Services, were seemingly unaffected.
FIA Tech, a financial and brokerage firm, was one of the customers affected by the attack on CyrusOne and saw an interruption of some of its cloud services as a result.
“The attack was focused on disrupting operations in an attempt to obtain a ransom from our data center provider,” the company said in a statement posted online.
Ransomware attacks explained
First reported by ZDNet, CyrusOne was reportedly hit by the REvil strain, also known as Sodinokibi. A relatively new strain of ransomware first discovered in April 2019. As well as other MSPs, this strain has been used against local governments in Texas, and hundreds of dental offices in the US. As of October 2019, McAfee estimated Sodinokibi had already made over $4.5 million in ransomware payments.
“Ransomware has become more sophisticated, with more appetite for making money, maximizing their return on investment,” says Liviu Arsene, senior e-threat analyst at cybersecurity firm BitDefender.
Sodinokibi has quickly become popular with cybercriminals. Dubbed ‘The Crown Prince Of Ransomware’ by cybersecurity firm CyberReason, Sodinokibi is thought to be linked to the same attackers that created the prolific GandCrab ransomware.
While the infection vector into CyrusOne isn’t known - CyrusOne declined to comment for this piece - Sodinokibi has been observed being distributed via spear phishing and poisoned downloads and exploiting vulnerabilities in unpatched Oracle WebLogic servers, wherein it encrypts data in the user's directory and deletes shadow copy backups to prevent quick recovery.
Unlike many forms of ransomware, it is also possible to remotely execute. It doesn’t, however, currently have any capabilities to self-propagate. It can also steal data before it encrypts; meaning as well as disrupting operations, the attackers can leak whatever information was on the machine prior to encryption. Cybercriminals claiming to be behind Sodinokibi have threatened to release data collected from victims prior to encryption.
“This seems to be a new evolution in ransomware meant to pressure victims into paying,” says Bitdefender’s Arsene, “by scaring companies with potential fines applied by legislators if attackers were to publicly expose customer or sensitive data. In essence, the bigger the potential fine caused by a data breach on a company, the bigger the stake for the ransomware operator.”
The fact that it was the Managed Service Division of the company that was affected was likely no accident. MSPs make an appealing target for cybercriminals of all stripes; as well as often a large attack surface, the fact they often have routes into the IT estates of customers mean attackers can not only extort the MSP but many of their customers too. Sodinokibi has been used against multiple MSPs since it was first spotted in the wild, including California-based Synoptek in December.
“This situation highlights that data center and Infrastructure-as-a-Service (IaaS) providers are just as vulnerable to attacks as other companies,” Thomas Hatch, CTO and co-founder at SaltStack, told press at the time of the attack. “While IaaS providers generally create very secure infrastructures, there is still the liability that they can be attacked in this manner.”
CyrusOne wasn’t oblivious to the threat; in a regulatory filing from 2018, the company listed ransomware and other cybersecurity issues against both itself and its customers as a risk factor for the company that would only increase over time.
Where there is one, there are often more, and data center operators should take note of lessons they can learn in order to better protect themselves from this and other strains of ransomware in the future.
Lesson One: Know your enemy and understand the threat
Data center owners and operators of all stripes should be well aware of the threats they face; not only the who, but the how and why.
Which groups are active in the locations you have operations in? Which groups are known to target companies not only in your sector but that of your customers? What are their tools, techniques, and procedures; how do they get in, what do they do once they’re in, and what are their final goals? Some attackers might use phishing attacks to deliver ransomware for money, others might hijack credentials to later steal information.
Understanding the threats you face enables you to see where your defenses might be vulnerable, and therefore give you an opportunity to put extra defenses, controls, and monitoring in place.
Lesson Two: Educate your staff to cut off an easy route of entry
The point of entry for many strains of ransomware is email. While it won’t prevent every attack, properly educating staff around phishing emails can help reduce the main route in for ransomware.
Many companies will simply run phishing simulation tests and admonish those who click through. However, good programs will go further and educate staff on what to look out for, share real-world examples of phishing email attempts, and will not blame staff that do fall for such attacks.
“It’s important that employees, new or seasoned, are well trained in terms of data protection practices within the company,” says BitDefender’s Arsene. “All employees need constant training and assessment, with a particular focus on new employees that may become more susceptible to various types of cyberattacks or infections.”
Admittedly, some of those phishing emails will simply be too good; emails from highly-skilled actors may well be indistinguishable from legitimate ones. However, most will have telltale signs that can give the game away if you know what to look for, and well-trained staff can prevent attacks before they begin by not clicking malicious links or opening malware-infected files.
On the technical side, labeling external emails, installing the DMARC email authentication protocol, and having a dedicated internal email address that employees can send potential phishing emails to can all help.
Lesson Three: Patch what you can, isolate what you can’t
Patching is often simpler in theory than execution, but understanding what vulnerabilities exist on an IT estate, where they are, and the risk that particular asset might pose to a business if compromised can go a long way to informing your patching priorities should lie. And, if an asset can’t be patched for whatever reason, isolate it as much as possible and put extra monitoring in place.
Lesson Four: Have playbooks ready, and not just for the technical teams
Ransomware attacks are a worryingly common occurrence, but many companies will simply think ‘it will never happen to me.’ Instead of ignoring the threat, be prepared for it. Have your IT & security teams prepare playbooks for various ransomware scenarios; not just what happens if one device gets encrypted, but all of them.
What would happen if the phones went down? What would you do if your backups had been compromised? How quickly would you be able to respond? What would non-technical staff be doing during the incident? You can’t be prepared for every eventuality but having a broad understanding of what kind of processes teams should broadly be looking to follow can save time and smooth recovery operations.
Lesson Five: Don’t pay, have backups and insurance
Ideally, even if an organization is affected by ransomware, backups will be available to draw upon. Backups should be made and tested regularly to ensure companies are resilient as possible.
“It’s recommended that organizations perform regular backups of their critical data, deploy encryption across their infrastructure, and use layered security solutions that can both detect and block potential ransomware infections,” explains BitDefender’s Arsene.
Sometimes, however, recovering from backup would simply be too time-consuming (and therefore costly) for many organizations, leading them to think paying the ransom may be the quicker and cheaper course of action. However, as well as enabling attackers to continue operating and profiting, organizations may well be inviting further attacks, plus there is a chance the criminals won’t provide any decryption keys - or they may not work.
“Law enforcement and security organizations recommend that victims don’t give in to these ransom notes, as paying will only encourage ransomware operators to continue investing in ransomware development,” says Arsene.
Instead, companies should ensure they have comprehensive cyber-insurance which will cover the organization’s costs and loss of business during any such incidents. Having an incident response firm on retainer or knowing which such organization you would reach out to in such an incident is also prudent.
Lesson Six: Prepare your public response ahead of time
Suffering a cyberattack isn’t the taboo it once was. Incidents occur so frequently that all but the most serious will quickly be forgiven, by a public increasingly aware of the danger. What matters more is how you react. A swift and well-planned response can actually improve a company’s standing.
To take two examples: both Maersk and Norsk Hydro suffered major incidents that brought the companies to their knees operationally, but were praised for their rapid and open response. Both companies provided continual operational updates not only internally to staff but publicly, and both actually saw their share prices increase after initial drops.
When CyrusOne announced the initial incident, it provided little detail. While it provided a brief statement to press there were no follow up posts explaining the issue in detail or the status of the recovery effort. Those interested had to turn to its customer, FIA Tech, which provided regular updates during the incident.
Just as companies expect their security teams to be well-drilled to know what to do in such incidents, their communications and leadership teams should also be well-drilled on how to respond to incidents; identify key stakeholders, have messages prepared, be ready and willing to provide regular and detailed updates.