One day after news broke that data center provider CyrusOne was reportedly hit with a combination ransomware/data breach involving the REvil (aka Sodinokibi) ransomware the company issued a statement confirming the incident.
Initially, CyrusOne did not release any details, but ZDNet reported the attack took place on December 4. A screenshot of the ransom note indicated all the files were locked and that the threat actors would allow one file to be decrypted for free as an act of good faith that a payment would result in all the files being unlocked.
In a statement posted on December 5 the company said its managed service division was working to restore availability issues to six managed service customers due to a ransomware program encrypting certain devices. The customers are primarily serviced by CyrusOne’s New York Data Center.
"CyrusOne’s data center colocation services, including IX and IP Network Services, are not involved in this incident," the company said.
Tripwire’s Graham Cluley noted that historically REvil has been distributed through malicious email campaigns using spearphishing and boobytrapped documents, compromising RDP and exploit kits.
Over the last year Sodinokibi has been used in several attacks and may possibly have been created by the developers who were behind GandCrab.