When news broke last week of CyrusOne getting hit with the Sodinokibi (REvil) ransomware, no one painted a picture of a company scrambling to find backups or paying a ransom. Customers of CyrusOne were even praising the response and ability to restore operations. This seems to have angered the operators behind the ransom-as-a-service operators.  In a forum post, found by Twitter user Damian1338, a threat actor using the handle “UNKN” claimed that the group had successfully stolen data from CyrusOne before encrypting files. The group claimed that in each ransomware attack, they steal copies of data files before encrypting them. Any victims who refuse to pay may have their information sold to competitors or just leaked online to cause damage. Although it is entirely possible that the group managed to steal data, it’s worth noting that the data exfiltration capabilities for the Sodinokibi ransomware itself are limited to basic host information–and only when specifically enabled by the distributor.