As revealed in their notice, the attack also caused disruption in FIA Tech services leading to outages.
Based on our team’s analysis and that of our third party security experts, our outage was caused by a hacking incident which originated from inside our data center provider’s management network.Explaining further about the incident, FIA Tech mentioned that the attack continued for 4 hours during where attackers had access to their production and disaster recovery environments.
For the kind of malware involved in this incident, FIA Tech confirmed it as a Sodinokibi variant. It is a relatively new variant presently undetected by numerous antivirus software.
Based on our initial research, the attack on our datacenter provider involved a combination of tools, and then finally the encryption of our machines was performed by a variant of Ransom.Win32.SODINOKIBI.AUWTF. The signature of this variant was not in the databases of many commercial antivirus providersWhile they did not name the data center provider, ZDNet has confirmed it to be CyrusOne. They have also obtained a copy of the ransomware note.
There is currently no evidence that any data was exfiltrated, instead the attack was focused on disrupting operations in an attempt to obtain a ransom from our data center provider. The service provider believes the objective of the hack was not to steal data.According to ZDNet, the attack did not impact all data centers belonging to CyrusOne. Lets hope the affected ones were adequately backed up.
In September, Sodinokibi also infected a dental data backup firm. That time too, there seemed no data exfiltration, but a mere demand for ransom.
Let us know your thoughts in the comments.