Server room with computers showing Denmark hosting providers ransomware attack

Ransomware Attack on Danish Hosting Providers Causes Almost Complete Data Loss for Customers

Two web hosting providers in Denmark are teetering on the brink after a devastating ransomware attack that wiped out most customer data. The two firms have refused the option of paying off the criminals, but appear to be unable to recover the data of most of their clients and have only some of their servers back up and running.

Neither of the companies have thrown in the towel as of yet, but are recommending that customers move to other hosting providers given the ongoing difficulty of recovery. The companies mostly focused on local customers within the country, and several hundred Danish businesses are thought to be impacted by the ransomware attack.

Denmark hosting providers crippled by ransomware attack

The ransomware attack on hosting providers CloudNordic and AzeroCloud forced a complete shutdown of their services for several days, leaving customers unable to access any of their online data or communications. The majority of the customer data is thought to be completely lost at this point, and only some of the servers have been brought back online (sans any customer information).

Both of the hosting providers are owned by Certiqa Holding, which has involved law enforcement and cybersecurity experts but says that it will not consider paying a ransom. The situation appears to be so hopeless that the hosting providers have posted instructions for restoring from local backups or combing the Wayback Machine to find saved archives.

Certiqa Holding also owns security firm NetQuest, and the company says that appropriate firewalls and antivirus systems were in place. But the ransomware attack was able to sneak through defenses during a data center migration in which the compromised servers were connected to the full network, which gave the attackers access to all backups and administrative systems. It is possible that one server was already compromised, and when the connection for the data migration began the malware was able to spread throughout the rest of the network.

Steve Hahn, Executive VP of BullWall, notes that hackers often look for data migrations as a period of opportunity: “Migrations are when companies are at their most vulnerable. Whether it’s the Dallas Police a few years back, who lost terabytes of data during a migration, throwing cases and convictions into to chaos, or latent cyber attacks that are triggered during the migration, companies need a containment, backup and security plan in place long before the migration occurs. During one of these large scale migrations we often see ports opened, applications white listed, security services may be suspended and people are generally more at risk to social engineering strategies.”

“The attack vectors multiply by the100’s during these migrations and our data is at its most vulnerable state. Often companies put security projects on hold to “focus” on these migrations, when precisely the opposite should occur. The migration should be put on hold until the security controls are firmly in place and tested,” noted Hahn.

The ransomware attack appears to have been limited to encrypting data, with the hosting providers reporting no signs of exfiltration. But with all of the backups also corrupted and no apparent hope of recovery, the future of both companies is now extremely uncertain.

Ransomware attacks, data extortion on the rise again after temporary lull

A number of major cybersecurity firms have released reports on ransomware attacks in late August, and the general consensus is that attempts are once again sharply on the rise and increasing in sophistication. Though much of this current wave can be directly tied to the Cl0p ransomware gang, now one of the biggest in the world, and its well-planned string of exploitations of MOVEIt vulnerabilities. As of last week that group has racked up at least 730 victims around the world and is thought to have compromised tens of millions of records of personal information, though it has been leaning more on simple data extortion rather than its usual deployment of ransomware during this particular campaign.

While Cl0p is responsible for the majority of the victims of data theft at present, about eight active new groups have emerged and many of these are thought to be composed of members of prior high-profile groups that have broken up or seen personnel peel off. Some security analysts have found that a record number of ransomware attacks were attempted in July, along with a major spike in attacks for Q2 of the year. There had been something of a prior lull coming out of the pandemic in which it seemed cyber criminals were becoming more interested in phishing and business email compromise, but ransomware attacks have remained consistently strong since at least 2019 and zero-day vulnerabilities earmarked for these attacks remain a very hot commodity.

As Kevin Kirkwood, Deputy CISO at LogRhythm, observes: “Unfortunately, ransomware attacks continue to target businesses with substantial IT data. Effectively countering these cyber threats demands thorough readiness, and enterprises must adopt a proactive stance, investing in cybersecurity solutions capable of preemptively identifying malicious cyber activities and empowering network systems to repel further breach attempts. Additionally, firms should establish data backups, formulate response protocols, and prioritize staff training to manage attacks and sustain operations. However, while backups aid in recovery, they can’t prevent data leaks– businesses should consistently prioritize prevention and detection tools, ensuring proper protective measures and comprehensive visibility across their network landscape. Additionally, Zero Trust should be applied across all internal IT landscapes. Without it, organizations are only protected to the outside edge of their systems, and once attackers get in, they have free access across internal systems.”

Web hosting providers have not been a special point of interest for ransomware groups as of late, but there have been some major attacks that have caused spillover effects with client websites. A late 2020 attack on Managed.com, one of the world’s biggest managed service providers, forced the company to temporarily take down its entire web hosting infrastructure. Ultimately only a relatively small amount of customers had their data encrypted by the ransomware attack, but the company took heat for first trying to play the incident off as a maintenance issue before being forced to admit that they were breached. And in late 2022, major email and cloud hosting provider Rackspace Technology was hit by a ransomware attack that shut down its email services.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that the incident once again stresses the importance of having both online and offline backups: “It’s unfortunate that so much data was lost. That means they didn’t have any recent backups offline. It’s imperative in today’s ransomware world that all companies have a secure, reliable backup stored offline. And truly offline. If you can get to your “offline” backup remotely, so too, can an attacker. An offline backup should be stored in such a way that it cannot be accessed without someone doing something physically to put it back online. Any other approach is just too risky in today’s insecure cybersecurity world.”