One of the largest data centers in the U.S., CyrusOne, has been hit with the Sodinokibi (also known as REvil) ransomware. The incident affected six of CyrusOne’s managed services customers located in their New York data center. Sodinokibi was first discovered in April 2019 and drew connections with the GandCrab ransomware for similarities in code along with the timing of GandCrab’s retirement announcement. It’s capable of exploiting CVE-2018-8453 to escalate privileges, terminate specific processes specified in a configuration file, completely wipe blacklisted folders, encrypt files on local machines and network connected shares and exfiltrate basic host information about the victim machine. CyrusOne does not intend on paying the ransom, however. Thomas Hatch, co-founder of SaltStack was quoted saying “The response and remediation from CyrusOne have been excellent given its ability to restore data from backups and respond rapidly to the attack.”
All businesses should keep their Anti-Virus solutions up to date to catch threats like these and complement it with an endpoint detection and response solution. Timely patch management is also critical as malware often exploits various vulnerabilities like CVE-2018-8453 to escalate privileges to an administrative level. Finally, the most important thing is to keep up-to-date backups. Many ransomware samples will connect to external and network share drives, so backups should not be kept connected at all times or risk losing them as well.
Sources: https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/, https://threatpost.com/ransomware-data-center-cyrusone/150873/