Danish cloud hosting providers CloudNordic and AzeroCloud have lost access to all customers after a ransomware attack.
“Unfortunately, during the night of Friday 18-8-2023 at 04:00, CloudNordic/AzeroCloud was exposed to a ransomware attack, where criminal hackers shut down all systems,” the companies said in matching statements on their respective websites. “Websites, e-mail systems, customer systems, our customers' websites, etc. Everything. A break-in that has paralyzed CloudNordic/AzeroCloud completely, and which also hits our customers hard.”
Danish press reports that “hundreds” of companies have been impacted. Martin Haslund Johansson, director of AzeroCloud and CloudNordic, told Radio4 he was “furiously sad”.
"I don't expect that there will be any customers left with us when this is over,” he said.
The companies’ usual websites offering ITSM, cloud, and hosting services, have been replaced with a text post explaining the current situation. An identical notice was posted to both CloudNordic and Azero sites; both are owned by Denmark-registered Certiqa Holding, which also owns Netquest, a provider of threat intelligence for telcos and governments.
Radio4 said the ransom was six Bitcoins – equivalent to around $156,000, or more than 1 million Danish Kroner.
CloudNordic and Azero said they “cannot and do not” want to meet the financial demands of the hackers’ ransom. The companies said that while they are working to assess the damage and understand what could be restored, things look bleak.
“Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us,” the companies said. “We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data), and mail servers (without data).”
As to the cause, CloudNordic and Azero suggest that some servers may have been compromised in an attack that had gone undetected. Then, after a data center migration, servers that were previously on separate networks were wired to access the companies' internal network that is used to manage all of their servers.
Via the internal network, the attackers gained access to central administration systems and the backup systems. Attackers were able to gain access to all storage data, the replicated backup system, and the secondary backup system.
“The attackers succeeded in encrypting all servers' disks, as well as on the primary and secondary backup system, whereby all machines crashed and we lost access to all data," the companies said.
CloudNordic and Azero are understood to have operated in colocation space, but it is not clear which data centers they were located in.
Despite the attack, the companies said they had seen no evidence of data being exfiltrated.
“The attack occurred by encrypting all disks for all virtual machines, and we have seen no evidence of a data breach,” the companies said. “We have not seen the attackers have had access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.”
“We deeply regret the situation and thank the many loyal customers who have been with us over the years.”
The hosting companies said they were ready to restore customers on the same name servers as well as new web and mail servers – without any of the previous data –so companies can begin operations again without moving the domain.
CloudNordic and Azero suggest customers try to restore data from local backups or resort to copying from the Internet Archive's Wayback Machine.