LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Danish Cloud Hosting Provider, CloudNordic, Loses All Client Data After Ransomware Attack

On Friday 8/18/23, Danish cloud hosting provider, CloudNordic, was exposed to a ransomware attack.

cloudnordic

(What their website used to look like. As of 8/24/23, it’s returning “not found”.)

Here’s what they had to say about being hacked:

For customers in CloudNordic

Unfortunately, during the night of Friday 18-8-2023 at 04:00, CloudNordic was exposed to a ransomware attack, where criminal hackers shut down all systems. Websites, e-mail systems, customer systems, our customers’ websites, etc. Everything. A break-in that has paralyzed CloudNordic completely, and which also hits our customers hard.

As we cannot and do not want to meet the financial demands of the criminal hackers for ransom, CloudNordic’s IT team and external experts have been working hard to get an overview of the damage and what was possible to recreate.

Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.

The hacking attack has been reported to the police.

Status

We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data).

Get help to move on without moving

We are ready to restore customers on the same name servers with a DNS administration interface, as well as new web servers (without data) and mail servers (without data), so that customers have the opportunity to get mail and the web working again, without moving the domain. Write to support@azero.dk with the word RESTORE in the subject line. In the email, write your email and your phone number as well as the domain, and then you will get a login to a new website and email solution, where you can upload the website yourself and create email addresses.

DIY

Regarding domains where you need to have DNS management quickly:

This is the fastest method to get DNS working again for your domain.

  • We have re-established all name service servers, but do not have your DNS zone. Much of the zone can often be copied from https://securitytrails.com/list/keyword > your-domain.xx > Subdomains (very technical).
  • If you contact us at support@azero.dk and you are verified as the owner as described below (via email or phone), you can ask us to be created on our name service again, which the domains still point to. You will then get access to a self-service DNS tool (PowerDNS-Admin), where you can do one of the following:
    • Create the DNS zone as you know it should be.
    • Copy zone elements from Securitytrails (see above).

Regarding domains you want moved:

Note that transferring a domain can take days, so if you want to use DNS again more quickly, you can use the option above first, and then possibly move the domain afterwards.

  • For .dk domains, you can order a new web hotel from another provider, and you yourself have access to approve the transfer of the domain to a new provider, via punktum.dk .
  • For .com domains, you must also order the domain from a new provider, and then use an authorization code from CloudNordic (auth code), here we ask you to contact us at support@cloudnordic.com . Please note that we are in a very difficult situation as we cannot keep up with all the requests, so please help us to do it as quickly and efficiently as possible. We must verify that we only send auth codes to the owner of the domain, and we can:
    • Send to the email linked to the registrant (owner) of the domain.
    • Call you on the phone number connected to the registrant (owner) of the domain and verbally tell them what the code is. We can NOT give you an auth code by calling us, only by calling the applicable number. You must therefore contact support@cloudnordic.com and ask us to call you.
    • If we cannot contact you by email or phone, the process will become even more time-consuming and will end up at the back of the queue of tasks. We will of course try to carry out the task, but at this stage we cannot say anything about when. We are very sorry for that.
    • Contact our supplier of .com domains directly. It’s Ascio, and they can be contacted at help@ascio.com .
  • For all other domains, the rules are different. We have all domains other than .dk with the supplier Ascio, so follow the same procedure as for .com. Some will have to use an auth code, at others it is not necessary.

Suggestions for being able to recreate your own websites:

Suggested email:

  • When you have had mail restored by a provider, and you have all your old mail in a mail client (Outlook, Apple mail and the like) on your own computer, you should make sure to create a new mail account for the new mail account on your client. You can then transfer emails to the new email account in your client.
  • If you instead correct information in an existing account on your email client, your email client will delete all emails. After this, you can only get emails back if you first restore your email client from before the change, and then set up a new email account, and then move emails over manually. On a Mac, you can use the built-in Time Machine program.

What happened?

It is our best estimate that when servers had to be moved from one data center to another and despite the fact that the machines that were moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection.

During the work of moving servers from one data center to the other, servers that were previously on separate networks were unfortunately wired to access our internal network that is used to manage all of our servers.

Via the internal network, the attackers gained access to central administration systems and the backup systems.

Via the backup system, the attackers managed to gain access to:

  • All storage (data)
  • Replication backup system
  • Secondary backup system

The attackers succeeded in encrypting all servers’ disks, as well as on the primary and secondary backup system, whereby all machines crashed and we lost access to all data.

No data breaches

The attack occurred by encrypting all disks for all virtual machines, and we have seen no evidence of a data breach. We have not seen the attackers have access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.

We deeply regret the situation and thank the many loyal customers who have been with us over the years.

Sincerely

CloudNordic

In short, a full data loss.

“No data breaches”

…what?

The first line in that statement released by CloudNordic is saying every server they have has been hacked and compromised.

All of the data was breached. Everything contained on those servers should be considered as good as leaked.

Saying “we have seen no signs that large amounts of data have been attempted to be copied out” is meaningless.

It’s just a blank PR statement.

What Does This Mean for CloudNordic?

We’ll have to see. Obviously, they wrote the situation off to their customers as an “it is what it is” situation.

With every single paying client’s data now being gone, you’ll have to ask yourself:

How many of those people even took their own backups? The minority I’d bet.

So, if their hosting provider that they trusted to be reliable suddenly loses all of their data…

Probably not going to give them a take two. It’s probably a done deal at that point.

If I was in the shoes of being a CloudNordic customer all of my confidence in the people behind the brand would be gone.

Then we’re left with an argument for the deadpool of CloudNordic…

(If you’re unfamiliar, a deadpool is our way of saying bankruptcy here at LowEndBox and LowEndTalk.)

If a majority of their paying clients leave, CloudNordic isn’t going to be able to afford to be in business.

Hosting businesses rely extensively on their reputation when it comes to reliability.

Being known as the company that lost all your data to ransomware doesn’t inspire confidence…

It’ll be hard for them to continue to grow under the same brand name with the amount of publicity this situation has caused, even once they move past this.

Their central selling point now has a giant hole put in it.

Ransomware Attacks Are on the Rise

Ransomware attacks have been on the rise in the last couple of years.

Even huge companies like Acer have recently become victims of ransomware attacks.

It’s a profitable business, and I don’t think we’ll see ransomware attacks stopping anytime soon, in fact, I think attacks will continue to get more frequent and sophisticated.

According to Zscaler, a large IT security company, “Ransomware attacks increased by over 37% in 2023, with the average enterprise ransom payment exceeding $100,000 with a $5.3 million average demand.”

I’m not affiliated, but they put together a very nice report about ransomware attacks. It’s worth a read (you’ll have to use a business email to get it).

Anyways, we can’t expect ransomware attacks to stop anytime soon. They won’t.

It’s important to properly secure your servers, especially as a hosting provider. That’s what you’re paid for.

Simple things like:

  • disabling root
  • encrypting disks
  • requiring SSH keys to log in
  • only allowing specific IPs to access your server
  • configuring firewalls like UFW

Can help save your entire company from deadpool, or alternatively, your data from disappearing into a void of encrypted nothingness.

At least configure external backups…

Should CloudNordic Have Paid Up?

As they said themselves “we cannot and do not want to meet the financial demands of the criminal hackers for ransom”.

They couldn’t pay whatever the hackers asked for, let’s assume a million. Understandable.

But, to be fair, even if they could afford it… I probably wouldn’t have paid for it myself.

We’ve seen multiple events in the past where paying ransom money doesn’t result in a beneficial situation for the victim, and you can’t quite reverse cryptocurrency.

Even the FBI recommends not paying ransoms:

The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.

They shouldn’t have paid, but, they should have secured their servers to begin with.

It’ll be extremely hard for them to move past this, but possible…

We’ll see how this plays out for CloudNordic.

Sir Foxy

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *