When news broke last week of CyrusOne getting hit with the Sodinokibi (REvil) ransomware, no one painted a picture of a company scrambling to find backups or paying a ransom. Customers of CyrusOne were even praising the response and ability to restore operations. This seems to have angered the operators behind the ransom-as-a-service operators. In a forum post, found by Twitter user Damian1338, a threat actor using the handle “UNKN” claimed that the group had successfully stolen data from CyrusOne before encrypting files. The group claimed that in each ransomware attack, they steal copies of data files before encrypting them. Any victims who refuse to pay may have their information sold to competitors or just leaked online to cause damage. Although it is entirely possible that the group managed to steal data, it’s worth noting that the data exfiltration capabilities for the Sodinokibi ransomware itself are limited to basic host information–and only when specifically enabled by the distributor.
Always keep anti-virus solutions up to date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Utilizing an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Many forms of ransomware also seek out network attached drives when encrypting files; backups should be updated periodically and stored offline in a secure location. To combat data exfiltration, consider adding a DLP (data loss prevention) solution as another layer of security.